Rumours started to circulate on Monday night that Nomad Bridge had been exploited. Unidentified hackers were apparently draining funds on a colossal scale. As the story gained traction and capital leached away, Nomad confirmed the exploit. Thieves stole around $200 million, making this one of the biggest crypto heists in history. Even more stunning is the primitive nature of the exploit, which allowed countless amateur hackers and bystanders to get involved, mauling Nomad in a feeding frenzy.
During a routine upgrade “the Nomad team initialised the trusted root to be 0x00.” This is common practice but had the unwanted effect of auto-approving every single message: users were basically able to authorise their own withdrawals. One blockchain expert described the effect as “sort of like a cash machine spewing out money at the tap of a button.” You can read a more detailed analysis from @samczsun here, but “suffice to say, being able to process a message without proving it first is extremely not good.”
Bridge exploits aren’t exactly uncommon, but what sets Nomad apart is its chaotic nature, branded a “free-for-all.” While other exploits require in-depth technical understanding, nearly anybody with a passing knowledge of smart contracts could drain Nomad. All that onlookers needed to do was find an attack that worked, switch the attacker’s address with their own and withdraw whatever they wanted. Many did. This was, as commentators pointed out, the first truly decentralised robbery.
It also shows how quickly news travels across social media. From a few speculative posts about capital flowing out of Nomad, everybody knew what was happening in a matter of minutes. Nomad says it’s working with TRM Labs and law enforcement to trace funds. It also appealed directly to white hat hackers, releasing an official wallet address for return of funds. Even this process opens the way for further scams, something which Nomad appeared to acknowledge as it warned users only to send to the official address.
Some were quick to point out that the company hasn’t even offered a bounty (or gas fee reimbursement). Others were more sympathetic, defending the trust model and multi-chain bridges more generally. Nomad will try to recoup at least some of the lost funds from white hat hackers and hope that law enforcement does the rest. In the meantime, the words of Professor Ronghui Gu (CEO of CertiK) seem especially pertinent: "protecting cross-chain bridges from lucrative attacks such as this are one of the most urgent problems facing the Web3 community.”