SECURITY

Verification vulnerability caused a commotion! Cross-chain protocol Nomad falls victim to decentralized robbery, suffering a loss of 190 million yuan.

share
Verification vulnerability caused a commotion! Cross-chain protocol Nomad falls victim to decentralized robbery, suffering a loss of 190 million yuan.

Early this morning, Twitter user Spreek discovered that the asset cross-chain protocol Nomad appeared to have experienced a Rug event, with a large amount of tokens being transferred out of the protocol at a rate of approximately $10 million per minute. Upon verification, it was found that this was not just a hack, but a decentralized collective heist.

Cross-chain Protocol Nomad Hacked

According to a tweet from Spreek, this morning, a series of tokens were discovered moving from the cross-chain protocol Nomad to various different addresses, starting with WBTC, followed by WETH, USDC, and others. The observed speed of token transfers was quite rapid, with approximately $10 million flowing out every minute.

Following this incident, the original assets on Nomad, which were approximately $190 million, now remain at less than one-thousandth, with only about $782 left.

Small Vulnerability Turns Nomad into ATM for Everyone

As news spread, researchers from the crypto investment firm Paradigm, samczsun and blockchain developer foobar, were quick to provide explanations. They found that after researching the Moonbeam network, assets moved from Moonbeam through Nomad to Ethereum, the assets actually increased.

One example showed 0.01 WBTC moved from Moonbeam to Ethereum, but ended up as 100 WBTC.

Further observation revealed that the transactions to Ethereum were not authorized for anything but directly called the process function.

Samczsun pointed out a fatal flaw in the Replica contract at line 185, which was supposed to verify the presence of a verifiable merkle root in the message to prevent users from passing arbitrary data.

However, foobar explained that when the team called the initialize function 41 days ago, they marked the zero root, 0x00, as an acceptable root. This meant that by default, every message would automatically be proven, which is why this hack was so chaotic and involved so many people.

"If a user wants to steal funds from a cross-chain bridge, they only need to copy the transaction data the initial hacker called and replace the original address with their own; the transaction will succeed! It's as simple as CTRL-C, CTRL-V," foobar said.

During the hack, the EVMOS token surged over 150%, possibly due to Nomad being the primary cross-chain bridge for Evmos, a Cosmos ecosystem EVM-compatible chain, and stolen funds needing EVMOS as gas for withdrawals.

Aftermath of the Hack

Following the incident, the Evmos team stated on Twitter that they are closely collaborating with the Nomad team and that Nomad has been temporarily shut down, preventing users from withdrawing their ERC20 Wrap assets from Evmos to Ethereum. They will provide timely updates on the impact of this event on Evmos users and those who hold Nomad assets.

Fortunately, this incident has also caught the attention of some white-hat hackers, who have indicated that they have recovered some assets that will be returned in the future.

Additionally, according to blockchain security firm SlowMist's tracking, about half of the compromised funds, approximately $95 million, are concentrated in three addresses and are currently under monitoring.

Another blockchain security firm, PeckShield, discovered that the hacker involved in the previous Rari Capital hack was also one of the attackers in this incident.