Nomad has become the latest token bridge attack this year following the high-profile exploits of the Ronin, Wormhole, and Harmony bridge.
Nomad Bridge announced that it was acutely aware of an ongoing exploit in the early hours of August 2. The token bridge for cross-chain transfers between Ethereum, Avalanche, Milkomeda, and Moonbeam got exhausted as its budget of more than $190 million was drained within the following hours of the announcement.
White hat developer and member of the crypto community ‘samczsun’ broke down the sequence of events and provided an explanation. He called this attack “one of the most chaotic hacks that Web3 has ever observed.”
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
Nomad funds get exhausted
Nomad’s total locked value has dropped from $190.38 million to $11,173 in the past few hours, according to DefiLlama data.
Researchers uploaded a tweet in the ETHSecurity Telegram channel that showed many transactions of money leaving the bridge, according to Samczsun’s Tweet, which is where the exploits all began.
After some arduous manual research on the Moonbeam network, samczsun found that while the Moonbeam transaction filled 0.01 WBTC, the Ethereum transaction mysteriously filled 100 WBTC. At first inspection, there appeared to be a misconfiguration in the token decimals.
The fact that the transactions were not “proved” and carried out directly distinguishes this exploit from others. Processing information without first confirming it is really bad, according to Samczsun. After doing some additional research, the programmer discovered a deadly weakness in the “Replica” smart contract, which had been initialized during a regular Nomad upgrade.
