Nomad Bridge Hacked, $190M Lost

Cross-chain bridges are juicy, juicy targets for hackers. The three largest DeFi exploits ever were bridges. Now, Nomad joins the ranks. The Nomad Bridge was hacked on August 1st, 2022 for a catastrophic loss of over $190M USD worth of tokens.

Nomad was the canonical bridge for Evmos, Moonbeam, and Milkomeda chains. If you have funds on any of those networks, please take appropriate actions to protect yourself.

The root cause of the attack was devastatingly simple. Nomad’s bridge contract on Ethereum failed to correctly validate an input, allowing users to arbitrarily call it with their own payload. That phrase should send a shiver down any developer’s spine, and for good reason. The damage from such an action can be practically unlimited.

Initial analysis of the @nomadxyz_ exploit points to the processor contract not validating the received message payload.
— 0xmagnetized.eth (@0xmagnetized) August 1, 2022

Further complicating the attack, users quickly realized the attack could be repeated by anyone. And repeat it they did. All and sundry piled in, including a villain from a previous season, the Rari Capital (Arbitrum) Exploiter coming out of nowhere to claim 600,000 USDT. From regular users trying to withdraw their own funds to copycat attackers trying to cash in, sorting out the mess will take a long time.

11/ This is why the hack was so chaotic – you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it
— samczsun (@samczsun) August 2, 2022

There’s a silver lining, though. Some users were able to whitehat quantities of the bridge’s funds.

Nomad bridge is now completely drained.

Together with @RugDocIO we did a whitehat of the remaining large token balances (about $1.5m, we were definitely late) which will be returned to the affected projects.@IagonOfficial @GeroWallet @covalent_hq please DM.
— Paladin Blockchain Security (@0xPaladinSec) August 1, 2022

The attack has further far-reaching effects as well. The overwhelming majority of the USDC on Evmos was bridged via Nomad – leaving Evmos USDC without backing and worthless after the Nomad bridge was hacked. Users are fleeing for the exit and swapping for any liquidity available.

$EVMOS is pumping hard following the Nomad bridge exploit

Everybody tries to convert their Nomad $USDC to $EVMOS pic.twitter.com/8LZbgIqoIc
— Yield God 📈 (@YieldGod) August 1, 2022

The nature of the exploit means that everything couldn’t be drained in a single transaction. Instead, the attack dragged on for an agonizing 2.5 hours, as the attacker continued to rip through the token supplies, whitehats frantically tried to save what they could, generalized frontrunner bots started indiscriminately sniping whatever transactions they could, and lesser vultures started to pick at the bones of the protocol.

As the dust settles and the post-mortems roll in, I’ll update this post with more details. For now, the bridge is drained, and negotiations with the attacker have begun.

This article may contain links to third-party websites or other content for information purposes. BowTiedIsland may receive a commission at no cost to you if you purchase a product after clicking one of these links. The Third-Party Sites are not under the control of BowTiedIsland, and BowTiedIsland is not responsible for the content of any Third-Party Site. All information contained herein is the opinion of the writer and does not constitute financial advice. We aim to act as a neutral third party and aid in your research and analysis.

The Jungle

Crypto, Investing, and E-Commerce with BowTied Bull

The future is internet based, therefore we have a triangle based approach with crypto, e-commerce business making and Investing in traditional assets

Learn More

The Culture War with BowTiedRanger

Whether you’re a political junkie or just interested in current events.

You’ve come to the right place for analysis of the most relevant current events and political issues.

Learn More

Fitness With BowTiedOx

BowTiedOx provides you a place to find all of his latest programs and guides.

Weekly newsletters that cover fitness, health, and mindset, all grounded in the fundamentals of physiology.

Learn More

Media Production with BowTied Turkey and BowTied Tamarin

Video is no longer optional.

Don’t get left behind.

Your brand deserves professional videos to engage your audience.

Learn More

Art & Graphic Design with BowTied Patriot

BowTied Patriot is a graphic artist who specializes in photography, mixed medium custom artwork, and NFT creation.

Join BowTiedPatriot as he dives into making Art in Web3.0 and The Metaverse.

Learn More

Cooking with BowTiedOctopod

Learn secrets from a fine dining chef for maximum flavor and time-saving efficiency

Newsletters on Ingredients, Techniques and Flavor hacks that will have you eating better. We will never eat bugs!

Learn More

Meme Warfare with DgenFren

Increase your online engagement, organically influence narratives, and build your online persona by using marketing that your target audience actually wants: memes.

Learn More