Defi . 2 Aug 2022

Crypto Firm Nomad Loses Nearly $200 Million in Bridge Hack

by Udit Agarwal
Crypto Firm Nomad Loses Nearly $200 Million in Bridge Hack
source: unsplash
Read News

Read news for me

Yesterday, Nomad (a cross-chain bridge) was exploited, and nearly $200 million worth of tokens were stolen, making it the 5th-largest DeFi hack.

Like any other cross-chain bridge, Nomad also allows users to transfer tokens between different blockchains. The Total Value Locked (TVL) on Nomad plummets to $15.7K from over $200M in less than few hours.

nomad
source: DefiLlama showing the fall of TVL following the hack

“We are aware of the incident involving the Nomad token bridge,” tweeted Nomad following the incident. We are currently investigating and will provide updates when we have them.”

How Was Nomad Hacked?

Nomad bridges work by locking up tokens in a smart contract on one chain and then reissuing those tokens in the wrapped form on another.

A function in the nomad smart contract, named `process()` checks the validity of the message. But the team, unfortunately, marked zero root (0x00) as an acceptable root. In simple terms, every message gets auto-approved, which is exploited by multiple users. 

Sam Sun, a researcher at Paradigm tweeted that a recent update of Nomad’s smart contracts made it easy for its users to spoof transactions.

The vulnerability was also pointed out by Quantstamp in their audit report. Unlike regular bridge hacks, Nomad was exploited by multiple users, so it's hard to hold someone accountable.
The hack weighed on the prices of leading cryptocurrencies. Both Bitcoin and Ethereum trade on the bearish side losing at least 2% over the past 24 hours, according to data from Coingecko.