Nomad token bridge suffered an exploit on August 1 that allowed several people to drain the bridge of $190.7 million.
The first sign of trouble began at about 9:23 pm UTC after a hacker exploited the bridge to withdraw 100 WBTCs worth $2.3 million.
Several others copied the code of the first suspicious transaction and changed the address to participate in draining the funds.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
The Nomad bridge allowed token transfer between Ethereum (ETH), Avalanche (AVAX), Evmos (EVMOS), Moonbeam (GLMR), and Milkomeda C1 blockchains.
Messages popping up in public Discord servers of random people grabbing $3K-$20K from the Nomad bridge – all one had to do was copy the first hacker’s transaction and change the address, then hit send through Etherscan. In true crypto fashion – the first decentralized robbery. https://t.co/jWV9AamBer
— FatMan (@FatManTerra) August 2, 2022
Unlike other crypto exploits where only a few addresses are directly tied to the hack, hundreds of addresses were responsible for draining the Nomad bridge of almost all the $190.7 million locked in it.
2/ Apparently there are multiple wallets involved in this hack and successfully drained the funds.
Totally 39 million dollars in USDC have been stolen in a single transaction withdrawing $202,440 multiple times from the bridge. pic.twitter.com/ciXfv3Ebpo
— The woke blunt🚀 (@Manikumar111111) August 2, 2022
Bizarrely, some of the exploit transactions had the same value. For instance, there were over 200 transactions of exactly 202,440.725413 USDC.
Several tokens like WBTC, WETH, USDC, FRAX, CQT, HBOT, IAG, DAI, GERO, CARDS, SDL, and C3 were stolen from the bridge.
According to Oxfoobar, the attack happened due to poor operational strategy causing “bad Merkle root initialization which led to every message being proven valid by default.”
TL;DR – a poor operational strategy led to bad merkle root initialization which led to every message being proven valid by default
Rough timing as the Nomad team raised a $22 million round several months ago and recently announced significant backing https://t.co/tsPTigF8XV
— foobar (@0xfoobar) August 2, 2022
The Nomad team confirmed the exploit and claimed to be investigating the events.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
Meanwhile, Moonbeam went into maintenance mode “to investigate a security incident with a smart contract deployed on the network.”
1/ Important Notice: The Moonbeam Network has gone into Maintenance Mode in order to investigate a security incident with a smart contract deployed on the network.
— Moonbeam Network #HarvestMoonbeam (@MoonbeamNetwork) August 1, 2022
1/ Earlier today, there was a security incident that impacted the @nomadxyz_ bridges to Moonbeam. Nearly all the assets in Nomad’s Ethereum Mainnet smart contract have been drained. We have found no evidence that the recent security incident was related to the Moonbeam codebase.
— Moonbeam Network #HarvestMoonbeam (@MoonbeamNetwork) August 2, 2022
Peckshield revealed that it detected 41 addresses that grabbed roughly $152 million (80%) of the stolen funds.
According to the blockchain security firm, one of the wallets belonged to the hacker who stole $80 million from DeFi platform Rari Capital and Saddle Finance.
#PeckShieldAlert PeckShield has detected ~41 addresses grabbed ~$152M (~80%) in the @nomadxyz_ bridge exploit, including ~7 MEV Bots (~$7.1M), @RariCapital Arbitrum exploiter (~$3.4M), and 6 White Hat (~$8.2M).
~10% of these addresses with ENS names getting $6.1M pic.twitter.com/UUjk7ZiiKE— PeckShieldAlert (@PeckShieldAlert) August 2, 2022
Whitehat hackers save some of the stolen funds
While the whole thing seems like a free for all looting, available information confirms that some of those who took funds from the bridge were whitehat hackers seeking to prevent thieves from accessing the funds.
Some who drained the funds have confirmed that they plan to return them.
im returning this money, fbi pls calm down. no i didnt plan to steal it and yes i know this address is doxed
🍉 🍉 🍉.eth
Nomad— 🍉🍉🍉.eth (@SpaceWigger) August 2, 2022
One of them wrote:
“This is a whitehack. I plan to return the funds. Waiting for official communication from Nomad team (please provide an email id for communication). I have not swapped any assets even after knowing that USDC can be frozen. Transferred USDC, FRAX and CQT token from other addresses in order to consolidate. I wish I could rescue more funds but it was too slow.”
Others have also identified as whitehat hackers and asked the team to get in touch, including someone who was able to get $1 million.
A couple of those grabbing bridge funds, some who have publicly come forward and offered to return
🍉🍉🍉.eth
Rari Capital Exploiter
darkfi.eth pic.twitter.com/2adlMl6Pj3— foobar (@0xfoobar) August 2, 2022