Bad code has resulted in $190 million being drained from Nomad’s bridge, a cryptocurrency protocol that allows people to move crypto coins between different blockchains. In what’s being called a “decentralized robbery,” a flaw in Nomad’s coding allowed people to steal money just by copy-and-pasting a script.
All blockchains may be indistinguishable to the uninitiated, but crypto traders often use several different ones, like ethereum, avalanche and solana. Trading tokens between different blockchains — like taking bitcoins and using them on ethereum’s blockchain, or taking ether coins and using them on solana — can actually be quite complex. To service this demand, several companies, including Nomad, have created “cross-chain” bridges. You deposit cryptocurrency in a smart contract on one blockchain and “bridge” those tokens to a different blockchain.
The key point, as it pertains to Monday’s exploit, is that this whole process relies on cryptocurrency being locked into the smart contract. A single ether deposited into an ethereum smart contract acts as collateral for the ether the user receives on, say, Avalanche’s blockchain. Nomad had over $190 million in people’s funds in its smart contract before the exploit. At the time of writing, only $9,000 remains locked in the smart contract.
Unfortunately, an “upgrade” to that smart contract led to an exploit that anyone could take advantage of. Decentralized finance being what it is — anonymous and susceptible to shady maneuvers — meant that $190 million was sucked out of the protocol in a number of hours.
You’d need to know ethereum’s development language, Solidity, to understand the technical aspects. The gist is that the smart contract broke. Certain transactions that shouldn’t be approved could be pushed through and replicated. It appears that suspicious transactions began occurring at around 9:13 a.m. PT, when several wallets removed 100 bitcoin ($1.7 million) from the bridge. All anyone had to do from there was copy and paste the exact script the scammer used, replacing the original exploiter’s wallet number with their own, and push it through. Others took out funds in ether and the USDC stablecoin, among other tokens.
“This is why the hack was so chaotic,” said Sam Sun, a researcher for crypto investment firm Paradigm, in a tweet thread deconstructing the exploit. “You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
“Easy as CTRL-C, CTRL-V,” tweeted another blockchain sleuth.
Since most people were copy-and-pasting information, funds were funneled out in identical chunks. There were hundreds of transactions that saw people withdraw $202,440 in the USDC stablecoin at a time, for instance.
In the blockchain equivalent of “America’s Dumbest Criminals” types who rob gas stations with their nametag on, some people exploited their smart contract with public wallet addresses that are designed to be traceable. Many sent the funds back. Others claimed to be acting in good faith, withdrawing funds that they pledged to protect and send back when the smart contract was secure.
“We are aware of the incident involving the Nomad token bridge,” Nomad said in a statement on Twitter. “We are currently investigating and will provide updates when we have them.”
Nomad didn’t immediately respond to a request for further comment.