A new hack in the world of cross-chain bridges: Nomad has suffered the exploitation of a flaw in its smart contracts, resulting in the draining of $190 million, which is almost all of its total locked value (TVL). However, some people used the flaw to withdraw as much of the funds as possible to protect them, saying they were ready to send them back as soon as possible.
Nomad cross-chain bridge disaster
A massive breach was used overnight, resulting in the draining of more than $190 million on the Nomad cross-chain bridge, which allows tokens to be exchanged between Ethereum (ETH), Avalanche (AVAX), Moonbeam (GLMR), Milkomeda C1 and Evmos.
Almost all the funds were thus emptied from the bridge in a lightning fashion.
According to the on-chain data, the first fraudulent transaction would have allowed a bridge user to withdraw 100 wBTC, which was worth $2.3 million at that time. The flaw gradually became known, allowing anyone to withdraw the same amount of money several times due to a flaw in the smart contracts.
Luckily, some people were able to stand out by withdrawing as much money as possible before declaring that they had acted as a whitehat in order to protect the funds in question, and that they would return them as soon as a reliable destination address was provided, as this transaction proves.
The background of the exploit
According to a post mortem established by @samczsun, researcher at Paradigm, the flaw would come directly from an update of the Nomad bridge smart contracts.
When a token is transferred via a bridge, it is locked to a smart contract before being redistributed in wrapped form.
In this case, the flaw in the smart contract allowed users to withdraw funds that did not belong to them. In a very simplified way, a code error in the smart contract allowed all transactions to be validated automatically and repeated in a loop.
This is why this flaw could be exploited in a very large way and above all by almost anyone, because very little manipulation was required.
This event reminds us once again of the particular exposure of cross-chain protocols, which are very often involved in large-scale hacks, the repercussions of which mechanically spread to other actors. Here, for example, the Evmos blockchain team indicated that this hack had significantly impacted its LST.
At over $190 million, this breach is the 5th largest hack in the history of cryptocurrencies, just behind Bitmart’s then $196 million in April 2021.