Nomad needs to find a new patch.

crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack

(Image credit: Thianchai Sitthikongsak/Getty)

In what now seems like a weekly event, the latest big crypto hack has made off with nearly $200 million in value from Nomad, a so-called cross-chain token bridge. These bridges are designed to allow people to transfer crypto tokens between different blockchains and, without getting too far into the weeds, work by locking up tokens in one chain and re-issuing them in a ‘wrapped’ form on another: this process is called a smart contract.

Clearly not too smart, though, as Nomad has now acknowledged the hack and frenzied free-for-all. In a statement to Coindesk (opens in new tab) the company said: “An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained. We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds.”

So, what happened? Essentially Nomad pushed an update that made it easy for users to fake transactions and withdraw funds from the bridge that didn’t belong to them. This was not an exploit that required elite skills to take advantage of and, when it was noticed, hackers descended en masse and stole almost everything being held by Nomad’s Ethereum Mainnet smart contract.

Security researcher Samczsun, who works for the crypto investment firm Paradigm, explains the exploit in the below tweet thread, unrolled here (opens in new tab).

2/ It all started when @officer_cia shared @spreekaway’s tweet in the ETHSecurity Telegram channel. Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign 1, 2022

Essentially, the system had defaulted to accepting every message as ‘proven’ by default: “It turns out that during a routine upgrade, the Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case it had a tiny side effect of auto-proving every message.”

That is, the process should be checking that every message is proven by the prover. This is a pretty foundational function. Nomad wasn’t doing it, allowing transactions to be faked, and the hordes descended.

“This is why the hack was so chaotic,” writes Samczun. “You didn’t need to know about Solidity [a crypto programming language] or Merkle Trees [a data structure to verify transactions] or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”

Ultimately this came down to what should have been a run-of-the-mill update leaving the back door wide open. “Attackers abused this to copy/paste transactions,” writes Samczun, “and quickly drained the bridge in a frenzied free-for-all.”

Crypto being crypto, which is to say a massive interlinked ecosystem (or stack of dominoes), it gets even worse. Nomad is or was used as a canonical or optimistic bridge (opens in new tab), meaning that many smaller and new blockchain companies use them to start playing a role in the wider crypto ecosystem.

Nomad has been chosen as the canonical bridge for @EvmosOrg, @MoonbeamNetwork, and @milkomeda_com, you need to get all of your assets off these chains immediately.August 1, 2022

Moonbeam suspended its service temporarily but reckons it’s largely unaffected (opens in new tab), while Milkomeda says “our hearts go out to anybody affected (opens in new tab)” which I’m sure is a comfort. Evmos seems the worst-affected and is “brainstorming community solutions (opens in new tab)” which is certainly a good euphemism for ‘we’re fucked’.

A mere five days ago Nomad raised $22.4 million in a seed round, investors in which included the massive crypto companies Coinbase Ventures, and OpenSea. This valued Nomad at around $225 million. How to lose a lot of money fast, eh.

Crypto almost seems like a synonym for scandal at the moment, with the sector’s claims of security being turned over again and again by hacking groups. In its way Nomad is one of the most worrying of the lot, because it wasn’t sophisticated: this looks like it can ultimately be attributed to human error.

This year has already seen the biggest hack in crypto history, when $600 million of crypto value was siphoned out of Axie Infinity (the CEO of the company also transferred $3 million out before making the news public (opens in new tab)). This was also a bridge hack, as was a $300 million hack on the Wormhole protocol (opens in new tab) that was catastrophic for the Solana blockchain.

Yes: we’re getting into word salad again. It’s also worth bearing in mind that all the above amounts are crypto amounts and not hard cash. A lot of money is being lost but it can be hard to be exact: estimates of the total value lost to hackers by Nomad go from $45 million to $200 million.

“The goal of Nomad is to provide the connective tissue to enable users and developers to interact securely in a multi-chain world” reads the cross-chain bridge’s documentation (emphasis theirs). Nomad sold people on the idea its protocol could offer more security for crypto transactions than the competition. Perhaps it’s Nomad’s time to move on.


When is the release date of Sifu’s Summer Update?

Image via Sloclap Earlier this year, Slowcap’s Sifu took the world by storm, selling over one million copies in its first three weeks on the market. Close to launch, the team revealed that the game would get several free content updates over the course of the year. In the ...

View more: When is the release date of Sifu’s Summer Update?

Wo Long: Fallen Dynasty gameplay trailer shows fast-paced, high-flying action

Wo Long: Fallen Dynasty is a slow burning title that’s slowly heating up and bringing the hype to fans of third person action titles. One of next year’s most dynamic and aggressive titles has just gotten a new gameplay trailer, giving us a brief glimpse of what we have to ...

View more: Wo Long: Fallen Dynasty gameplay trailer shows fast-paced, high-flying action

New Minecraft Legends Trailer Gives A First Look At Fiery Foes

Gungrave GORE - Release Date Trailer - IGN

A series making its return after many years, Gungrave GORE promises bloody mayhem, a killer team, and a fall release date in this new Gamescom trailer. A mix of CG and gameplay gives it a good taste of the carnage to come. This new Gungrave game will launch on ...

View more: Gungrave GORE - Release Date Trailer - IGN

Heavy Metal's first YA story Starward concludes with an all-out celestial brawl

This is not your grandfather's Heavy Metal

View more: Heavy Metal's first YA story Starward concludes with an all-out celestial brawl

Nexa and flameZ help OG upset FaZe in BLAST Premier Fall Groups

Photo via PGL OG beat FaZe Clan 2-1 today in the knockout stage of the BLAST Premier Fall Groups, which is their best result since adding Adam “NEOFRAG” Zouhar, Maciej “F1KU” Miklas, and Abdulkhalik “degster” Gasanov halfway through 2022. The victory allows OG to move further in the CS:GO ...

View more: Nexa and flameZ help OG upset FaZe in BLAST Premier Fall Groups

Destroy All Humans! 2 - Reprobed Review

In the first Destroy All Humans!, Crypto evidently didn’t manage to successfully carry out his objective to destroy all of the humans – as per the title’s remit – necessitating the existence of a 2006 sequel, which forms the basis for this remake, playfully titled Destroy All Humans! 2 – ...

View more: Destroy All Humans! 2 - Reprobed Review

Hearthstone Patch 24.2: Full notes and updates

Battlegrounds. Battlegrounds everywhere Miscellaneous Mercs, Brawliseum, and more Image via Blizzard Entertainment The latest update to Blizzard’s popular card game is bringing along the new separate seasonal pass for Battlegrounds and Runestones, Hearthstone’s new virtual currency. Heroic Brawliseum is also making a return, plus in-game reporting is finally being ...

View more: Hearthstone Patch 24.2: Full notes and updates

Metal Gear and Silent Hill fans hope Konami's announcement could revive classic games

Age of Darkness: Final Stand - Edwin Hero Spotlight - IGN

Destroy All Humans! 2: Reprobed Video Review - IGN

The First 13 Minutes of Destroy All Humans! 2 - Reprobed PS5 Gameplay - IGN

Destroy All Humans 2 - Reprobed

Team Liquid officially exits PlayerUnknown’s Battlegrounds eSports

‘The Ghost Lights’ VOD Review

Official PC system requirements for Hogwarts Legacy

Review Destroy all Humans! 2 – Reprobed

Aliens: Dark Descent is more than an XCOM clone - and feels surprisingly true to the movies

Destiny 2's New Craftable Taipan-4FR Linear Fusion Rifle Is A Must-Have, Here's How To Get It

Volunteer As A Subject In THE OUTLAST TRIALS Closed Beta