Verification vulnerability caused a commotion! Cross-chain protocol Nomad falls victim to decentralized robbery, suffering a loss of 190 million yuan.
Early this morning, Twitter user Spreek discovered that the asset cross-chain protocol Nomad appeared to have experienced a Rug event, with a large amount of tokens being transferred out of the protocol at a rate of approximately $10 million per minute. Upon verification, it was found that this was not just a hack, but a decentralized collective heist.
Table of Contents
Cross-chain Protocol Nomad Hacked
According to a tweet from Spreek, this morning, a series of tokens were discovered moving from the cross-chain protocol Nomad to various different addresses, starting with WBTC, followed by WETH, USDC, and others. The observed speed of token transfers was quite rapid, with approximately $10 million flowing out every minute.
Following this incident, the original assets on Nomad, which were approximately $190 million, now remain at less than one-thousandth, with only about $782 left.
Small Vulnerability Turns Nomad into ATM for Everyone
As news spread, researchers from the crypto investment firm Paradigm, samczsun and blockchain developer foobar, were quick to provide explanations. They found that after researching the Moonbeam network, assets moved from Moonbeam through Nomad to Ethereum, the assets actually increased.
One example showed 0.01 WBTC moved from Moonbeam to Ethereum, but ended up as 100 WBTC.
Further observation revealed that the transactions to Ethereum were not authorized for anything but directly called the process function.
Samczsun pointed out a fatal flaw in the Replica contract at line 185, which was supposed to verify the presence of a verifiable merkle root in the message to prevent users from passing arbitrary data.
However, foobar explained that when the team called the initialize function 41 days ago, they marked the zero root, 0x00, as an acceptable root. This meant that by default, every message would automatically be proven, which is why this hack was so chaotic and involved so many people.
"If a user wants to steal funds from a cross-chain bridge, they only need to copy the transaction data the initial hacker called and replace the original address with their own; the transaction will succeed! It's as simple as CTRL-C, CTRL-V," foobar said.
During the hack, the EVMOS token surged over 150%, possibly due to Nomad being the primary cross-chain bridge for Evmos, a Cosmos ecosystem EVM-compatible chain, and stolen funds needing EVMOS as gas for withdrawals.
Aftermath of the Hack
Following the incident, the Evmos team stated on Twitter that they are closely collaborating with the Nomad team and that Nomad has been temporarily shut down, preventing users from withdrawing their ERC20 Wrap assets from Evmos to Ethereum. They will provide timely updates on the impact of this event on Evmos users and those who hold Nomad assets.
A couple hours ago, the Nomad ERC20 bridge contract was exploited. Most assets have been drained. We’re working closely with the Nomad team and will follow up as we get more info.
Rest assured, the Evmos chain is functioning properly. This is strictly a bridge exploit. (1/3)
— Evmos is Hiring ☄️ (@EvmosOrg) August 2, 2022
Fortunately, this incident has also caught the attention of some white-hat hackers, who have indicated that they have recovered some assets that will be returned in the future.
Additionally, according to blockchain security firm SlowMist's tracking, about half of the compromised funds, approximately $95 million, are concentrated in three addresses and are currently under monitoring.
A quick update on the @nomadxyz_ attack
So far, over $95M of the stolen funds remain in the 3 addresses below.
👇
— MistTrack🕵️ (@MistTrack_io) August 2, 2022
Another blockchain security firm, PeckShield, discovered that the hacker involved in the previous Rari Capital hack was also one of the attackers in this incident.
PeckShield found that one of the @nomadxyz_ bridge exploiters is @RariCapital (Fuse Arbitrum) exploiter, who gained ~$3m in this exploit. https://t.co/Uxy66rXrJ1 pic.twitter.com/CNI71HrKri
— PeckShield Inc. (@peckshield) August 2, 2022
Related
- Suspected Official Hack? Well-known game L3E7 faces cybersecurity concerns, downloading the game leads to adult websites.
- FBI Reveals: North Korea Actively Targeting Cryptocurrency Industry, Using Social Engineering to Target Employees of Crypto Companies
- Cybersecurity company Certik accused of ransomware and cryptocurrency theft? Kraken explodes in anger, online comments: Already notorious for bad behavior