- The bulk of funds drained was USDC, WETH, and WBTC.
- Reportedly a vulnerability in the Nomad bridge contract allowed it to accept arbitrary root hashes, allowing several entities to withdraw large amounts of assets.
Nomad, a protocol allowing users to move digital assets between different blockchains, experienced security exploit on Monday evening. The exploit led to nearly $200 million in crypto being drained from the bridge. According to analytics firm Defi Llama, the bridge closed off in July with a TVL of right around $190M.
The security exploit came into light soon after many users on crypto Twitter began to watch the bridge get exploited, raising concerns about suspicious transactions. This was soon followed by the Nomad putting out a tweet confirming the hack. The nomad team stated that it was aware of the “incident involving the Nomad token bridge” and is “currently investigating the incident.”
Amidst this the Moonbeam smart contract platform from the Polkadot network, whose native GLMR token was one targeted in the Nomad exploit, went into maintenance mode “to investigate a security incident.” This is notable since the Nomad token bridge allows transfers of tokens between Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).
Reportedly, the first suspicious transaction touted as the genesis of the ongoing exploit happened around 9:00 pm UTC when someone managed to remove 100 Wrapped Bitcoin (WBTC) worth $2.3 million tokens from the bridge. Suspicion surrounding possible exploit surge since the hackers started removing tokens in nearly equivalent denominations. The misconfiguration in the token’s decimals made the community look into the transactions better.
According to Twitter user Samczsun “I confirmed that while the Moonbeam transaction did bridge out 0.01 WBTC, somehow the Ethereum transaction bridged in 100 WBTC”. Following this, he found out that the transaction to bridge in the WBTC did not prove anything presenting the potential of a hack.
Simply put, a user manipulated code noted in the bridge’s audit, taking advantage of a vulnerable function to have every message on the bridge valid. According to Evmos, a vulnerability in the Nomad bridge contract allowed it to accept arbitrary root hashes, allowing several entities to withdraw large amounts of assets. Following the exploit becoming news, many users also tried replicating the attack hoping to drain some crypto.
The security exploit has witnessed a wide plethora of tokens getting drained from the platform, including WBTC, WETH, USDC, FRAX, CQT, Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), among others. The latest exploit is untimely since it comes just four days after Nomad revealed the full list of investors who participated in its $22M seed round in April, which included big names like Coinbase Ventures, Wintermute, 1kx, and Polychain Capital.
This incident has brought into discourse again the increasing vulnerabilities of cross-chain bridges, which are now becoming the favorite target of crypto hackers. Bridge exploits continue to prove to be a top concern across the Defi ecosystem, wreaking havoc on user funds. Earlier this year, the Ethereum-powered sidechain for Axie Infinity, Ronin Network, lost a staggering $625 Million in one of the largest exploits in crypto history.