Nomad – a bridge network allowing users to convert their assets across blockchains – was exploited for over $156.4million on August 1st. Over 40 attackers utilised a code error that allowed them to spoof transactions – draining Nomad’s Ethereum contract of most of its funds. Just hours later, another crypto hack took place, this time on one of the largest cryptocurrencies on the market. Solana’s ‘hot’ wallets, or internet-connected wallets, were attacked, with 8000 wallets being drained for roughly $8million.
The Nomad exploit is the fourth major incident to target a bridge in 2022, and it is the eighth largest crypto theft of all time.
The attack was made possible by a recent change in Nomad’s smart contract that made it possible for users to “spoof” transactions – thereby falsely claiming ownership of collateral within the bridge. The initial exploiter utilised the vulnerability to bridge 0.1 Wrapped Bitcoin (WBTC) through the Moonbeam blockchain – ending up with 100 WBTC ($2.3million) on Ethereum.
Since the spoof transaction was easily replicable given its broadcast on block explorers, several copycat exploiters initiated the same or similar transaction to exploit the same vulnerability. Security researcher Samczsun posted a breakdown of the exploit on Twitter and called the incident “chaotic” – pointing to the lack of coding proficiency required to initiate it. “All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it,” Samczsun tweeted.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
Elliptic has identified over 40 exploiters and more than 200 malicious contracts deployed to automate the exploit. The most prolific exploiter was aided with 202 self-deployed malicious contracts and gained just under $42million. Wallets used to initiate previous DeFi thefts – including the January 2021 exploit of SushiSwap and the May 2021 exploit of RARI Capital – are also among those involved in this exploit.
The exploiters gradually drained the Nomad Ethereum contract of WETH, WBTC and stablecoins DAI, Tether and USDC. Other lower-value ERC-20 tokens were also stolen. As many Nomad users also withdrew their funds, the contract was left with just $15,000 in cryptoassets at midday August 2nd.
An ETH address with the domain nomadexploit.eth and has signed transactions to various exploiters with variants of the following on-chain message. At least six exploiters have since confirmed their intention to return the funds as a white hat.
There is no verification yet as to whether the address is affiliated with Nomad, which also issued a warning against victims interacting with any other entity apart from official Nomad channels.
Bridges Continue to be Top Targets for Threat Actors
Nomad is the fourth major bridge – alongside Wormhole, Ronin and Horizon – to be attacked in 2022. However, the attack vector is unique to other recent bridge exploits, which were orchestrated through private key compromises (in the case of Ronin and Horizon) or code exploits that allowed the infinite minting of assets (Wormhole).
Of these exploits, the Ronin and Horizon incidents have been attributed to North Korean cyberhackers known as the ‘Lazarus Group’, which has netted around $650million from these attacks.
Across the top 10 crypto hacks of all time – of which the Nomad exploit is eighth by USD value lost – four are now incidents relating to bridges. This also includes the record-breaking $611million PolyNetwork exploit in August 2021 – so far the largest crypto hack of all time. Exemplifying the risks faced by bridges, their exploits now make up just under 50 per cent ($1.6billion) of total funds lost in the top 10 thefts.
Bridges have long been known to be attractive to cyberhackers. They typically hold large liquidity, as users wishing to convert funds across blockchains typically lock their assets within their contracts. They also operate on blockchains that are relatively less secure.
The Nomad exploit is likely to raise questions around the security of bridges once again.
Just because you’re a big cryptocurrency, that doesn’t make you safe from cyberattacks
This was the hard truth found out by Solana. Though the reason for the attack remains unclear, an anonymous criminal gained access to 8000 ‘hot’ wallet private keys and completely drained the wallets of their funds. While initial figures pegged the attack to have taken around $5.8million, other cryptocurrencies were also impacted by the attack, bringing the figure up to the $8million mark: wallets including Phantom, Slope and TrustWallet were compromised as a result of the attack. Solana suggested users who had their wallets compromised switch to a ‘cold’ (hardware) wallet.
Responding to the news, Ruben Merre, co-founder and CEO of NGRAVE said, “Events like the Solana hack drive demand for better security solutions, with cold storage technology in particular. In recent months, as stories of hacks are coupled with an inordinate number of users being locked out of their assets, we are seeing a significant and increasing shift in attitudes from hot to cold storage.
“Recent events illustrate that keeping your crypto in a self-custodial online wallet is in itself still a dangerous option. Without a secure and convenient integration with a cold wallet, hot wallets may even prove to be the Achilles heel for crypto investors. Think about it, in your hot wallet you are doing everything online and can’t even verify where your “self-custodial” keys are coming from. Hazards are lurking around every corner and with yet another hack rocking the ecosystem, users and providers alike are coming to the same realisation; decentralised cold wallets are the only way to truly keep your assets safe. Crypto investors should be creating and storing their own keys on a cold wallet, offline, and safely away from hacks.
“Last year, over 14 billion worth of assets were stolen from the crypto community through heists and security breaches. This figure is more than five times the amount recorded in 2018. Yet with all this distress, the market as a whole remains positive, with user adoption still going strong. It’s time for a mindshift and a better future.”
Dominic Williams, president and chief scientist at DFINITY said, “The latest Solana security issue once again proves how if you introduce ‘trusted intermediaries’, they will get hacked. Bridges in blockchain are trusted intermediaries, and more than $1billion has been stolen from bridges this year alone. Metamask-style wallets are hosted on a cloud, like the Google Chrome Store. They are updated by trusted intermediaries, rather than algorithms, and interact with the cloud. What all of this means is that bridges can be hacked very easily.
“This is a consequence of people using centralised technology in blockchain and pretending it is real crypto. Continued hacks of this nature should inspire people to focus on internet identity, chain key cryptography and generating alternative offerings to bridges.”
Max Kordek, CEO and co-founder of Lisk added, “With a locked valuation of nearly 1$4billion, the $8million lost in this Solana hack is a drop in the ocean. The problem here lies rather in the large number of likely real-world users of Solana affected. This hack is a consecutive security problem with their platform that will cause confidence in the platform to decrease.
“It showcases that the Solana user experience is not where it needs to be, as users still have to use multiple wallets or browser extensions to interact with blockchain applications. There is still a long way to go until this experience is seamless. Unfortunately, this news will be overblown and used to spur further market fear, especially amongst Bitcoin maximalists who will use it to attack other Layer 1s.”
Rowland Graus, director of product at Agoric said, “It’s important not to jump to too many conclusions since the root cause of the hack is still unknown. However, the unknown cause itself has caused this hack to generate a lot of fear, since users can’t easily determine if they were affected. It will certainly serve as a wake-up call for users to better secure their assets, for example using hardware wallets. Despite this, I don’t expect much impact on the wider market. We’ve shrugged off far larger exploits without a hitch – just the day before there was a nine-figure exploit of a major bridge – and this will be no different.”
Chris Goes, co-founder of Anoma concluded, “The current state of software supply chain and operational security for web-based wallets is quite low, and clever adversaries have their pick of many weak points to target, such as dependency takeover, domain spoofing, and smart contract bug-hunting. This situation is not unique to the cryptocurrency or blockchain sector, but rather a result of the way the web application stack has been developed, and can only be fixed in the long-term by a concerned, coordinated effort to properly sandbox code (such as Agoric’s SES effort), perform end-user behavioral verification of both application and contract code, and use naming systems without such central points of attack. Individuals should take care when using any software, especially software which manages critical data or financial transactions, and practice defence-in-depth to limit their exposure to bugs in any particular application.”