On Monday, the cross-chain token bridge Nomad was attacked and hackers managed to siphon $190 million from the protocol, draining the bulk of the funds Nomad The Cross Chain Bridge attack was the third largest crypto heist of 2022 and the ninth largest of all time.
The Nomad cross-chain bridge was exploited for $190 million
Cross-chain bridges in the world of decentralized finance (defi) just can’t catch a break, no matter how long they have been in operation, even after the bridge has been audited.On August 1, 2022, the cross-chain bridgewas attacked by Nomadand the bridge lost $100 million 90 million dollars in crypto funding was lost. Security experts at blockchain auditing firmCertikreleased aincident reportdescribing what happened.
“The vulnerability was in the initialization process with ‘committedRoot’ set as ZERO.” Certik wrote.” Thus, the attacker was able to bypass the message validation process and eject the token from the bridge contract.” Certik noted and added.
This exploit occurred when periodic upgrades allowed the validation message to be bypassed on Nomad. Attackers were able to exploit this to copy and paste transactions and drain nearly all funds before bringing the bridge down.
Cross-chain bridges have been plagued by exploit after exploit since they were first introduced; in late March, $620 million was stolen from Axie Infinity’s Ronin bridge in the largest hack of 2022. Researchers at Comparitech detailed that the Nomad bridge attack was the third largest breach this year, according to the research firm’s Crypto Heist Tracker.Nomad connected various blockchain networks, but AVA Labs founder and CEO Emin Gün Sirer tweeted about the incident, stating that the AVAX bridge is secure.
“Nomad bridge used in non-avalanche chain was hacked today.” Gün Sirer wrote. “Nomad was the official bridge for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM), and Milkomeda (another EVM) – The Avalanche Bridge is unaffected.”
Nomad raised $22 million in April, and blockchain security firm Certik noted that this particular bug was “difficult to detect with traditional auditing practices”
.
The attack on the Nomad bridge follows a financing round led by Polychain Capital in which the project raised approximately $22.4 millionin seed funding; other strategic investors that helped Nomad raise money include 1kx, the Ethereal Ventures, Hack.vc, Circle Ventures, Amber, Robot Ventures, Hypersphere, Figment, Dialectic, Archetype, and Ledgerprime. While an extensive audit could have found the Nomad bridge vulnerability, Certik’s blockchain and smart contracts auditors said the attack may be difficult to find in a traditional audit.
“This type of problem is difficult to detect with traditional auditing practices that assume all deployment configurations are correct because this particular bug was introduced by a mistake in the deployment parameters,” Certik’s report on the Nomad situation concluded. The auditor adds, “However, with a more extensive audit process and full-scope penetration testing that includes validation of the deployment process, this bug could be found.”
: Shutterstock, Pixabay, Wiki Commons, Comparitech,