Cross-chain bridges are juicy, juicy targets for hackers. The three largest DeFi exploits ever were bridges. Now, Nomad joins the ranks. The Nomad Bridge was hacked on August 1st, 2022 for a catastrophic loss of over $190M USD worth of tokens.
Nomad was the canonical bridge for Evmos, Moonbeam, and Milkomeda chains. If you have funds on any of those networks, please take appropriate actions to protect yourself.
The root cause of the attack was devastatingly simple. Nomad’s bridge contract on Ethereum failed to correctly validate an input, allowing users to arbitrarily call it with their own payload. That phrase should send a shiver down any developer’s spine, and for good reason. The damage from such an action can be practically unlimited.
Further complicating the attack, users quickly realized the attack could be repeated by anyone. And repeat it they did. All and sundry piled in, including a villain from a previous season, the Rari Capital (Arbitrum) Exploiter coming out of nowhere to claim 600,000 USDT. From regular users trying to withdraw their own funds to copycat attackers trying to cash in, sorting out the mess will take a long time.
There’s a silver lining, though. Some users were able to whitehat quantities of the bridge’s funds.
The attack has further far-reaching effects as well. The overwhelming majority of the USDC on Evmos was bridged via Nomad – leaving Evmos USDC without backing and worthless after the Nomad bridge was hacked. Users are fleeing for the exit and swapping for any liquidity available.
The nature of the exploit means that everything couldn’t be drained in a single transaction. Instead, the attack dragged on for an agonizing 2.5 hours, as the attacker continued to rip through the token supplies, whitehats frantically tried to save what they could, generalized frontrunner bots started indiscriminately sniping whatever transactions they could, and lesser vultures started to pick at the bones of the protocol.
As the dust settles and the post-mortems roll in, I’ll update this post with more details. For now, the bridge is drained, and negotiations with the attacker have begun.