Nomad has suffered from one of the biggest exploits in the decentralized finance (DeFi) space since the beginning of the year.
The Nomad team announced Monday that it had been exploited. Cross-chain token bridge Nomad lost almost all funds in its protocol after this attack.
According to the latest report, the protocol lost about $200 million in this attack.
Nomad is a cross-chain bridge that allows users to send and receive tokens between different blockchains. Monday’s exploit further highlights security concerns regarding cross-chain bridges.
and Statement to CoinDeskthe Nomad team said.
“Investigations are ongoing and leading players in blockchain intelligence and forensics are being held,” the team said. “We are working around the clock to notify law enforcement, address the situation, and provide timely updates. It’s about tracking and retrieving.”
upon twitter@samczsun, a researcher at crypto investment firm Paradigm, took the time to explain the exploit in detail.
According to the researchers, the attackers took advantage of recent updates to one of Nomad’s smart contracts to allow users to easily spoof transactions. This update allowed a user to withdraw money from her Nomad bridge that wasn’t hers.
The researchers added that unlike other cross-chain hacks carried out by a single perpetrator, Nomad’s attack is free for everyone. He said;
“During routine upgrades, we discovered that the Nomad team initialized the trusted root to 0x00. To clarify, using a zero value as the initialization value is common practice. Unfortunately in this case it had the small side effect of auto-certifying all messages.
This is why hacking has been so confusing. I didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find the transaction that worked, find someone else’s address, replace it with yours, and rebroadcast it. ”
Nomad’s exploit comes months after Wormhole Bridge lost $300 million to hackers. Axie Infinity’s Ronin Bridge suffered the most severe attack in cross-chain history, losing over $600 million to hackers.