On Monday, the cross-chain token bridge Nomad was attacked and hackers managed to siphon $190 million from the protocol, draining a great majority of the funds. The Nomad cross-chain bridge attack was the third-biggest crypto heist of 2022, and the ninth largest of all time.
Nomad Cross-Chain Bridge Exploited for $190 Million
In the world of decentralized finance (DeFi) cross-chain bridges simply cannot catch a break, no matter how long they have been in operation and even after the bridges are audited. On August 1, 2022, cross-chain bridge Nomad suffered an attack that caused the bridge to lose $190 million in crypto funds. Security experts from blockchain auditing firm Certic published an incident report detailing what happened.
“The vulnerability was in the initialization process where the “committedRoot” is set as ZERO,” Certik wrote. “Therefore, the attackers were able to bypass the message verification process and drain the tokens from the bridge contract,” Certik added, noting:
The exploit occurred when a routine upgrade allowed the verification messages on Nomad to be bypassed. Attackers abused this to copy/paste transactions and were able to eliminate almost all of the bridge of funds before it was stopped.
Cross-chain bridges have been suffering from exploit after exploit since they were first introduced. At the end of March, the largest hack of 2022 saw $620 million stolen from Axie Infinity’s Ronin bridge. Researchers at Comparitech detail that the Nomad bridge attack was the third-largest breach this year, according to the research firm’s crypto heist tracker. While Nomad connected a variety of blockchain networks, the founder and CEO of AVA Labs, Emin Gün Sirer, tweeted about the incident and said the AVAX bridge was safe.
“The Nomad Bridge Used by Non-Avalanche Chains Was Hacked Today,” Gun Sirer wrote, “Nomad was the official bridge for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM), and Milkomeda (another EVM) – the avalanche bridge is unaffected.”
Nomad Raised $22 Million in April, Blockchain Security Company Certik Says This Particular Bug ‘Would Be Difficult to Discover Under Conventional Auditing Practices’
The attack against the Nomad bridge follows the project raising approximately $22.4 million in seed funding in a finance round led by Polychain Capital. Other strategic investors that helped Nomad raise funds include 1kx, Ethereal Ventures, Hack.vc, Circle Ventures, Amber, Robot Ventures, Hypersphere, Figment, Dialectic, Archetype, and Ledgerprime. While a broad audit could have found the Nomad bridge vulnerability, the blockchain and smart contract auditors from Certik say this attack may be more difficult to find in a conventional audit.
“This type of issue would be difficult to find under traditional auditing practices that assume all deployment configurations are correct, as this particular bug was introduced by mistakes in deployment parameters,” concludes Certik’s report on the Nomad situation. “However, a comprehensive auditing process and full-scope penetration testing that includes validating deployment processes will potentially catch this bug,” the auditors said.
