Nomad Hack

Depricated as of Oct 2022

Some CRYPKYP functionalities are depricated as of October 2022 and will no longer be populated until further development and future version.
Although all here is visible and interactable you can not Contribute to those articles.
Try looking at other information on the Platform and Contributing there!

Have a great day,

Crypto Bridge Nomad was exploited for $190M

Nomad Hack
Image Credit: CRYPKYP
Source: Decrypt
1659434819 02 Aug / 10:06

In one of the most significant attacks since Axie Infinity's Ronin Bridge Sidechain in March, a vulnerability in the Nomad token bridge enabled hackers to steal around $190 million off the bridge.

"The situation concerning the Nomad token bridge is known to us. We are conducting an investigation and will offer updates as they become available. " Nomad sent a tweet on Monday afternoon.

The situation with the Nomad token bridge is known to us. We are conducting an investigation and will give updates as they become available.

The Nomad bridge is a protocol that enables users to transfer digital assets between blockchains, such as Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).

Some have referred to a setup issue in a smart contract that Nomad uses to handle messages as the source, allowing Nomad’s liquidity pool to be drained of millions of dollars.

Sam Sun, a researcher at crypto investment company Paradigm, tweeted, “It all began when @officer_cia retweeted @spreekaway’s tweet in the ETHSecurity Telegram channel.” Even though I did not understand what was happening at the time, the sheer number of assets departing the bridge was a warning indication. — samczsun (@samczsun) August 1, 2022

Sun said, “It turns out that after a regular upgrade…” “The Nomad team set the trusted root value to 0x00. To be clear, it is standard practice to use zero values as startup values. Unfortunately, it had the minor effect of automatically proving every message.”

Sun compared what followed to “a frenetic free-for-all” since it required minimal technical understanding to exploit the vulnerability.

Sun wrote, “You didn’t need to know about Solidity, Merkle Trees, or anything like.” “All you had to do was discover a successful transaction, find/replace the other person’s address with your own, and rebroadcast it.”

Similarly, blockchain security company Certik warned that the flaw might be exploited by simply copying and pasting transactions. The company noted that the update might be exploited “by duplicating the original hacker’s transaction call data and substituting the original address with their own.”

All credit goes to @samczsun for diagnosing the exact vulnerability in his postmortem.

How did the first decentralized, mass theft of a nine-figure bridge occur? — foobar (@0xfoobar) August 2, 2022

Thus, virtually all of the bridge’s funds were depleted.

“Nomad’s bridge was compromised similarly to Qubit’s QBridge,” a16z security engineer Matt Gleason tweeted. “An insecure setup of the bridge allowed any transaction to be delivered over a specified path. The problem occurs within the ‘process’ function of the Replica.”

1/ The same thing happened to Nomad’s bridge as it did to Qubit’s QBridge. An insecure setting of the bridge allowed any transaction to be routed over a specified path. The error is within the “process” function of the Replica. — Matt Gleason’s website (@mg_486662) August 2, 2022

“The system will take any message it has never seen before and process it as if it were authentic, so all you have to do is ask for all the bridge’s money,” he continued.

According to the FTC, hacks targeting cryptocurrency projects have taken over $1 billion since 2021.

Last News and Media
CRYPKYP contain links to third-party websites, resources, and advertisers. CRYPKYP does not control, sponsor, recommend or otherwise accept responsibility for any third-party content because we are not responsible for the availability of these outside resources or their contents or privacy practices. It will help if you direct any concerns regarding any third-party content to such a third party. We don't accept responsibility for the content of external websites linked to through the Site or the Services. Third-party content is accessed at the user's own risk. CRYPKYP distributes content from third-party publishers as indicated on the site from time to time mainly in Airdrops, News / Media, Whale Alerts, and Rumors. In these circumstances, CRYPKYP only provides limited stylistic input to the content. CRYPKYP does not verify and takes no responsibility for the accuracy of the content provided by any such third-party publishers.