Hackers managed to steal $190 million from Nomad’s cross-chain token bridge. This attack took place on Monday. Cross-chain attack Nomad on the Nomad cross-chain bridge was the third largest crypto heist in 2022 and ninth biggest ever.
Nomad Cross-Chain Bridge Designed for $190 Million
Cross-chain bridges in the world of decentralized finance (defi) just can’t catch a break no matter how long they have been running and even after the bridges have been audited. The attack on the Nomad cross-chain bridge resulted in $190 million of crypto fund loss. The incident report was published by Certik, a blockchain auditor.
“The vulnerability was in the initialization process where the “committedRoot” is set as ZERO,” Certik wrote. “Therefore, the attackers were able to bypass the message verification process and drain the tokens from the bridge contract,” Certik added, noting:
This exploit was discovered when routine upgrades allowed Nomad to bypass verification messages. The exploit was used by hackers to execute copy/paste transactions, and they were able drain nearly all the funds from the bridge before it could be fixed.
Since their inception, cross-chain bridges have suffered from every exploit possible. At the end of March, the largest hack of 2022 saw $620 million stolen from Axie Infinity’s Ronin bridge. Researchers at Comparitech detail that the Nomad bridge attack was the third-largest breach this year, according to the research firm’s crypto heist tracker. While Nomad connected a variety of blockchain networks, the founder and CEO of AVA Labs, Emin Gün Sirer, tweeted about the incident and said the AVAX bridge was safe.
“The Nomad bridge, used by non-Avalanche chains, was hacked today,” Gün Sirer wrote. “Nomad was the official bridge for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM), and Milkomeda (another EVM) — The Avalanche Bridge is unaffected.”
Nomad Raised $22 Million in April, Blockchain Security Company Certik Says This Particular Bug ‘Would Be Difficult to Discover Under Conventional Auditing Practices’
Nomad Bridge was attacked after the project raised approximately $22.4million in seed capital in a financing round managed by Polychain Capital. Ethereal Ventures (Hack.vc), Circle Ventures (Amber, Robot Ventures), Hypersphere, Figment and Archetype were other strategic investors who helped Nomad raise funding. Although a wide audit might have revealed the Nomad bridge vulnerability in the Nomad network, Certik’s blockchain and smart contract auditors say that this may not be possible with a traditional audit.
“This type of issue would be difficult to discover under conventional auditing practices that assume all deployment configurations are correct, because this particular bug was introduced by mistakes in the deployment parameters,” Certik’s report on the Nomad situation concludes. “However, a broader auditing process and full-scope penetration test that includes validating deployment processes would potentially capture this bug,” the auditors added.
Let us know your thoughts on the Nomad Bridge cross-chain exploit. Please comment below to let us know your thoughts on this topic.
Images CreditsShutterstock. Pixabay. Wiki commons. Comparitech.
DisclaimerThis information is provided for educational purposes only. It does not constitute an offer, solicitation, or recommendation of any company, products or services. Bitcoin.com is not a provider of investment, tax, legal or accounting advice. This article does not contain any information, products, or advice that can be used to cause or alleged result in any kind of damage.