Cross-chain interoperability protocol Nomad Bridge experienced a security breach: Hackers took away $190 million in funds within the bridge through a series of transactions.
Nomad allows token transfers between Ethereum, Evmos, Milkomeda and Moonbeam. Unlike other exploits that have become common in 2022, this attack featured hundreds of addresses receiving tokens directly from the bridge.
1
The incident was triggered by a tweet shared by @spreekaway saying that a large amount of WBTC assets began to withdraw from the cross-chain interoperability protocol Nomad bridge.
Then encryption KOL @0xfoobar also tweeted that the Nomad bridge is being hacked, WETH and WBTC are being transferred out at a frequency of one million dollars each time, and there are still 126 million dollars in the contract that may be at risk. Remind users to withdraw funds as soon as possible.
In the next few hours, more than $190 million in cryptocurrency was withdrawn from the Nomad bridge, and the latest data shows that only $10,900 is currently left in the wallet.
2
So how do hackers use the vulnerability to launch an attack? Let's take the first suspicious transaction that occurs as an example.
Transaction hash:
https://eth.tokenview.com/en/tx/0xa5fe9d044e4f3e5aa5bc4c0709333cd2190cba0f4e7f16bcf73f49f83e4a5460
Victim's address:
https://eth.tokenview.com/en/address/0xa8c83b1b30291a3a1a118058b5445cc83041cd9d
Nomand contract address
https://eth.tokenview.com/cn/address/0x88a69b4e698a4b090df6cf5bd7b2d47325ad30a3
The first suspicious transaction occurred at 08-02 05:32:31 Beijing time, when someone managed to withdraw 100 WBTC worth about $2.3 million from the Nomad bridge. With the in-depth excavation of the Moonbeam network, it is found that when 0.01 WBTC is transferred out of the Moonbeam bridge network at this address, 100 WBTC will be received correspondingly on the Ethereum bridge.
According to the latest news, about 41 addresses in the Nomad incident made a profit of about 152 million US dollars. Terra researcher FatMan said on Twitter that the Nomad attack was a decentralized heist.
The tokens taken from Nomad Bridge in this attack are: WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), GeroWallet (GERO) ), Card Starter (CARDS), Saddle DAO (SDL), and Charli3 (C3).
According to the analysis of Paradigm security researcher samczsun, the main reason for the attack on Nomad is that its replica contract has a fatal flaw. A regular upgrade marks the zero hash as a valid root, which has the effect of allowing information to be spoofed on Nomad. Attackers exploit this to copy/paste transactions and quickly drain assets on the bridge in a frenzied free race.
3
Affected by the attack on the Nomad cross-chain bridge, the Moonbeam token GLMR fell by 19.9% within 24 hours. The reason for the drop may be related to the suspension of the Moonbeam and Moonriver cross-chain bridges this morning. More than an hour later, Moonbeam tweeted that no security issues were found, and the network maintenance has now ended and all functions have been restored.
In response to the nearly $200 million in losses, Nomad said it notified law enforcement of the attack and sought to identify related accounts and recover funds. As of press time, according to the latest official news from Nomad, Nomad called on the attacker to return the funds on the chain. Nomad told the attacker: "If you are willing to return the improper profit to nomadeexploit.eth, no further action will be taken against you, and you can Get 20% of the bounty and deal with it as a white hat."
Tokenview will continue to pay attention to the latest developments of the Nomad bridge attack!