Over $190 Million Drained From Nomad Bridge
A flaw in the Nomad bridge resulted in the loss of millions of dollars worth of crypto.
The Nomad bridge is a decentralized protocol that allows users to transfer digital assets between different blockchains, including Avalanche (AVAX), Etherium (ETH), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).
Although details from Nomad are scarce, some point to a misconfiguration in the smart contract that the protocol uses to process messages as the cause, which has allowed millions to be drained from Nomad’s liquidity pool.
Initial outflows from Nomad’s bridge contract focused on wrapped Bitcoins (WBTC), which were affected, as well ass wrapped Ethereum (wETH) holdings and later the stablecoin USDC. Cryptocurrencies worth $190 million were withdrawn.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
Sam Sun, a researcher at crypto investment firm Paradigm, shared how he spotted the attack.
“Although I had no idea what was going on at the time, the sheer volume of assets leaving the bridge was clearly a bad sign.”
Sun stressed that minimum technical knowledge was required to execute the exploit.
“You don’t need to know about Solidity, Merkle Trees or anything like that.”
All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then redistribute it.