On Monday, the cross-chain token bridge Nomad was attacked and hackers managed to siphon $190 million from the protocol, draining a great majority of the funds. The Nomad cross-chain bridge attack was the third-biggest crypto heist of 2022, and the ninth largest of all time.
Nomad Cross-Chain Bridge Exploited for $190 Million
Cross-chain bridges in the world of decentralized finance (defi) just can’t catch a break no matter how long they have been running and even after the bridges have been audited. On August 1, 2022, the cross-chain bridge Nomad suffered an attack that saw the bridge lose $190 million in crypto funds. Security experts at the blockchain auditing firm Certik published an incident report describing what happened.
“The vulnerability was in the initialization process where the “committedRoot” is set as ZERO,” Certik wrote. “Therefore, the attackers were able to bypass the message verification process and drain the tokens from the bridge contract,” Certik added, noting:
The exploit occurred when a routine upgrade allowed verification messages to be bypassed on Nomad. Attackers abused this to copy/paste transactions and were able to drain the bridge of nearly all funds before it could be stopped.
Cross-chain bridges have been suffering from exploit after exploit since they were first introduced. At the end of March, the largest hack of 2022 saw $620 million stolen from Axie Infinity’s Ronin bridge. Researchers at Comparitech detail that the Nomad bridge attack was the third-largest breach this year, according to the research firm’s crypto heist tracker. While Nomad connected a variety of blockchain networks, the founder and CEO of AVA Labs, Emin Gün Sirer, tweeted about the incident and said the AVAX bridge was safe.
“The Nomad bridge, used by non-Avalanche chains, was hacked today,” Gün Sirer wrote. “Nomad was the official bridge for EVMOS (Cosmos EVM), Moonbeam (Polkadot EVM), and Milkomeda (another EVM) — The Avalanche Bridge is unaffected.”
Nomad Raised $22 Million in April, Blockchain Security Company Certik Says This Particular Bug ‘Would Be Difficult to Discover Under Conventional Auditing Practices’
The attack against the Nomad bridge follows the project raising approximately $22.4 million in seed funding in a finance round led by Polychain Capital. Other strategic investors that helped Nomad raise funds include 1kx, Ethereal Ventures, Hack.vc, Circle Ventures, Amber, Robot Ventures, Hypersphere, Figment, Dialectic, Archetype, and Ledgerprime. While a broad audit could have found the Nomad bridge vulnerability, the blockchain and smart contract auditors from Certik say this attack may be more difficult to find in a conventional audit.
“This type of issue would be difficult to discover under conventional auditing practices that assume all deployment configurations are correct, because this particular bug was introduced by mistakes in the deployment parameters,” Certik’s report on the Nomad situation concludes. “However, a broader auditing process and full-scope penetration test that includes validating deployment processes would potentially capture this bug,” the auditors added.