184 total views
On the morning of August 2, Nomad – a cross-chain bridge project became the next victim of hackers and “foul”, with a loss of more than $176 million.
Nomad was mercilessly “blooded”
Around 04:30 AM early on August 2, the crypto community began to observe and alarm about strange transactions on Nomad. This is a bridge project between Ethereum and Moonbeam – a parachain specializing in smart contract Polkadot.
Developer Metamask, whose Twitter account name is @sniko_ shared about a series of transactions that paid up to 350,000 USD but still failed. This person later discovered that there was an attack on Nomad for profit. Through many small transactions, a series of WBTC, WETH, USDC tokens and many ERC-20 standard tokens have been withdrawn.
User @1kbeetlejuice It was reported that only 2 hours later, Nomad’s smart contract was drained, evaporating 176.6 million USD.
FatManTerra claims that the attack was carried out using multiple accounts, even a “robbery”. Some users copied the first hacker’s transaction and changed only the withdrawal address, in order to steal Nomad. FatManTerra Jokingly, this is the first “decentralized” attack, true to the nature of the cryptocurrency industry.
According to data from the leading crypto market auditing firm (Audit) – SlowMistcash flow tracing found the 3 most extracted wallet addresses from Nomad, with a total value of $ 90 million.
Nomad’s vulnerability was discovered by security experts samczsun The determination comes from the project allowing the permission to withdraw money for the default root message, which is 0x000… This loophole was taken advantage of by hackers and made withdrawals. Others then know and simply copy the transaction of the first hacker.
“This is exactly why the hack was so chaotic – it doesn’t require you to know about Solidity or Merkle Tree. All you have to do is find a successfully hacked transaction, find/replace someone else’s address with yours, and then interact with Nomad’s smart contract.”
It is worth mentioning that the smart contract audit unit Quantstamp warned the Nomad team about this vulnerability in early June, but it was ignored and led to consequences.
The Nomad side has announced to close its cross-chain bridge to investigate the cause, and reminded users to be on the lookout for impostor accounts “calling looters to voluntarily return their money”.
On the other hand, Moonbeam has also brought the network to a “maintenance state”, but still allows users to perform transactions, interact with smart contracts, staking, and administer normally.
Is the cross-chain bridge project still safe?
The Nomad incident took place almost 1 year after Poly Network – another cross-chain bridge project was stolen 611 million USD. However, after the hack was discovered, the hacker decided to return the money because he thought he could not disperse such a large amount of money.
In early February 2022, the Wormhole bridge between Solana and Ethereum was attacked, damage 325 million USD. Wormhole then raised an emergency fund of a similar amount to ensure user compensation and resume operations.
More than a month later, on March 29, 2022, the community was shaken again when the Ronin bridge, the cross-chain of the cult game Axie Infinity was drained and discovered nearly a week later. With loss 622 million USDthis is the most serious hack in crypto history to date.
At the end of June, Ronin resumed operations, while the company behind Axie Infinity, Sky Mavis, raised $ 150 million in capital and paid out-of-pocket compensation for users. Recently, the company’s leader – CEO Trung Nguyen was also found evidence of transferring 3 million USD of AXS tokens to the Binance exchange before announcing the hack to the community.
During this same period, the Horizon bridge of the Harmony blockchain project was hacked, losing 100 million USD cryptocurrency. After nearly a month of “silence”, Harmony also proposed a solution to mint tokens to compensate the community but received a harsh response.
#Nomad #crosschain #bridge #hacked #lost #million #USD