A small smart contract flaw lets a large number of attackers steal the project's funds. Here's what happened behind the Nomad Bridge hack.
Massive heists continue to pollute the crypto world. Millions of dollars worth of digital currencies have been stolen from crypto firms lately. Strangely, most of those incidents no longer occurred in the same type of firm: DeFi bridges.
From the $540 million Ronin Bridge hack story in March to the $250 million Wormhole Bridge case in February, it's hard to say that it's merely a coincidence. It appears that instead of using crypto exchanges as the main point of attack, these illicit actors now prefer to steal from DeFi bridges.
Bridges refer to the infrastructure that allows users to exchange assets between different blockchains. When a bridge swaps one coin for another, it basically "wraps" the asset so that it will be able to function on the other blockchain. So, every time an investor deposits a coin, the bridge will issue a new token to represent the wrapped coin on a different blockchain. This is why bridges must hold large reserves of various coins to back those wrapped coins. Naturally, such huge coin reserves are attracting hackers and turning DeFi bridges into main targets for crypto attacks.
In the most recent case, hackers reportedly stole nearly $200 million worth of cryptocurrency from Nomad Bridge, a crypto bridge provider that allows users to swap tokens between Ethereum, Avalanche, Evmos, Milkomeda C1, and Moonbeam. Interestingly, the Nomad Bridge case turned out to be quite simple and most of the exploiters were just copycats. What does that mean?
Contents
The Case of Copycats
The first suspicious transaction occurred at Ethereum block 1525801 on August 1, 2022. The attacker was able to withdraw 100 WBTC from the bridge and later swapped them for WETH and ETH. Not long after, a swarm of copycats joined the party. In just a matter of a few hours, the bridge's wallet balance dropped down from over $190 million to $16.5k. The stolen tokens were mostly USDC, followed by WETH, WBTC, and CQT.
Apparently, those new attackers or 'copycats' had found a way to copy the original hacker's transaction call data. They simply replaced the original address with their own and the transaction would succeed; as easy as CTRL+C, and CTRL+V. As a result, over $186 million of ERC-20 tokens were drained from the Nomad Bridge between August 1 and August 2, 2022.
Nomad first acknowledged the incident on Twitter. According to the tweet, they were "working hard to address the situation". The company has also notified law enforcement and retained leading firms for blockchain intelligence and forensics to help them solve the case. Still, the shock wave was inevitable in the global crypto community.
The Root Cause
According to Nomad, the hack was caused by the implementation of a smart contract upgrade called the Replica contract that took place in June 2021. There is a flaw in the system that makes it unable to authenticate messages properly, so any message can be modified as long as it hasn't been processed. As a result, contracts relying on the Replica upgrade for authentication suffered a critical security failure.
The first attacker then took advantage of such a vulnerability by arranging a message that was able to trick the bridge into sending the stored tokens without proper authorization. Once the code is cracked, the rest of the hackers can easily copy the trick and extract the funds to their pockets.
In total, about 88% of the hackers' addresses were identified as copycats. They used a number of variations of the original message by modifying the targeted tokens, amounts, and recipient addresses.
The Aftermath
As a result of the system's vulnerability, over $190 million was drained from the Nomad Bridge. On August 3, 2022, the co-founder of Nomad and his team put up a request for the hackers to return the funds to a specific recovery address. Nomad also announced an up to 10% bounty to those who return at least 90% of the funds they exploited and let them keep the rest. The company won't take any legal action either against those who returned the funds.
As of August 9, about 17% of the stolen funds have been returned to the recovery address. Most of the returns happened a few hours following Nomad's request and continued for the next couple of days, although the number slowly began to thin out than when the address was first posted.
What's interesting is that the majority of the returned funds are in USDC, followed by USDT, WBTC, DAI, CQT, and WETH. It is worth noting that the original hackers mostly took WBTC and WBTH. The fact that most of the returned funds came in the form of USDC and USDT suggests that most of the funds came from later-stage copycat hackers.
Hackers who fully send the stolen funds back to the recovery address are referred to as white hats. Some people believe that the white hats only stole the funds because they were trying to protect the funds from malicious actors. Meanwhile, those who only partially send the funds back are called grey hats and those who don't return the funds at all are called black hats.
So far, more than $36 million of the stolen funds have been recovered, thanks to the white hats. The rest of the money either remained untouched or has been moved onward. It's still unclear whether the black hat hackers are just waiting for the heat to die down or they are still holding on for a better bounty from Nomad.
Why Hackers are Interested in Bridges
There are several possible reasons why crypto scammers and hackers are so attracted to DeFi bridges lately:
- Huge profit. As mentioned above, DeFi bridges hold a lot of money, similar to crypto exchanges. Instead of using the traditional social engineering attack and exploiting security design issues, these new hackers tend to target specific software loopholes, as in most bridge hack cases.
- Easier and cheaper. It's considered easier to use assets that are not native to the network. Bridges allow malicious actors to transfer funds more quickly at a lower cost. They can also get exposure to assets that aren't native to the network while gaining the benefits of the other network.
- Consolidation. Hackers can combine funds from different networks, which makes the transaction easier to handle and launder onwards. This also adds a layer of complexity to trace the funds, so they can mask their traces a bit better.
- Access to a wider ion of dApps. Different dApps have different functions, so hackers can get more creative in using various tools when executing their plans.
What's Next?
If you were a Nomad client and you had put some funds in the bridge, unfortunately, there's nothing you can do now. The wisest thing to do is to wait for the official instructions from the Nomad team. Some people might message you and promise to return your funds. These are scammers, so do not interact with them.
To prevent losing more money in the future, here are some tips to keep in mind:
- Understand and stay up to date with the security policies of the protocols that you use.
- Regularly review any contract approvals that you don't need.
- When adding liquidity, don't put all of your money in a single protocol or store them all in one bridge.
- Search up and block crypto addresses that have been involved with illicit activity in the past.
- Monitor the inputs and outputs of protocols that have been abused by illicit actors before.
- Work with blockchain intelligence providers to immediately identify when illicit funds have moved from one network to another.
The Future of DeFi Bridges
The Nomad Bridge hack is now the fourth largest DeFi hack in history and the third biggest one in 2022, following the Wormhole Bridge hack in February and the Ronin Bridge hack and in March. It seems that crypto hacks have become popular these days, considering that over $1 billion in digital assets have been stolen from the start of 2021 through March of this year. This shows that there are loopholes scattered in the blockchain system, waiting to be discovered by malicious hackers.
The growing number of bridge attack cases only adds to the security concerns within the crypto community. This might explain why crypto markets are often going bearish these days. Although crypto transactions remain popular, there's no guarantee that they will stay that way in the following years.
Nevertheless, one thing to remember is that in every industry, there are always crashes and burns. To some extent, these hacks are even "necessary" to improve the existing security protocols. We can think of it as just a part of the process of building strong and lasting mechanisms.
In order to prevent getting caught in a troublesome hack case and losing money, it's important to take precautionary actions and protect your funds. Don't put all your eggs in one basket to minimize the risks. Lastly, always make sure to put your funds in a reliable company with good security measures.
7 Comments
Oct 26 2022
Could you please provide an explanation of what blockchain is? From the information provided, it seems that bridges play a role in facilitating transactions between different blockchains. Before delving into the specific details of bridges, I would like to have a better understanding of the fundamental concept of blockchain. How does blockchain work, and what are its key characteristics that distinguish it from traditional s or record-keeping systems? Additionally, how does the decentralized nature of blockchain contribute to its security and immutability? Thank you!
May 31 2023
@Case: Hey there! I will explain little bit shorter about blockchain. The rest you can read at here : Blockchain: The Future of Wire Transfers.
So, in short, Blockchain is a decentralized digital ledger that records transactions across multiple computers. It works by grouping transactions into blocks, which are linked together in a chain. It's different from traditional systems because it doesn't rely on a central authority and is transparent, secure, and tamper-proof. The decentralized nature of blockchain enhances security by eliminating a single point of failure, and consensus mechanisms ensure agreement on valid transactions. This makes blockchain reliable and resistant to fraud. Its transparency and trustless nature allow parties to engage in transactions without intermediaries. Overall, blockchain provides a secure and transparent way to record and verify information.
May 18 2023
What I have learned from this article is the following:
Thank you for sharing the article! It has provided valuable insights into the concept of bridges and the associated risks of attacks.
May 24 2023
I think the article really opened up my mind about crypto world. In the first, they said crypto is super safe especially from hacker because the blockchain technology. I mean, The blockchain is a decentralized ledger that records all transactions and is maintained by a network of computers known as nodes. The distributed nature of the blockchain makes it difficult for hackers to manipulate or alter transaction records. And the encryption in there really hard to breach. But after reading this article, I think the weak spot in the crypto is when you do the transaction outside the blockchain, I mean they attacked the bridge, right? And the bridge is operated by the service provider, right? So, I want to know, is there any bridge provider that can be considered safe
May 28 2023
@Lidya: You're absolutely right! The blockchain technology used in cryptocurrencies provides a high level of security due to its decentralized and immutable nature. However, as highlighted in the article, one vulnerability lies in the bridges or connections between different blockchain networks or when interacting with centralized services.
When it comes to bridge providers, it's essential to choose reputable and trusted platforms. Look for providers that have a strong track record, established reputation, and robust security measures in place. Conduct thorough research, read reviews, and consider the transparency and accountability of the provider.
Some well-known bridge providers in the crypto space that I know include Chainlink, Ren Protocol, and Wrapped Bitcoin (WBTC). These platforms aim to enhance interoperability between different blockchains while prioritizing security and trustworthiness.
Jun 4 2023
Hey there, beside this bridge attack, I wan to know, when it comes to cryptocurrencies, we often witness significant price drops and market volatility. In such situations, it's important to consider how brokers handle these fluctuations. So, I'm curious to know, in general, what measures or policies brokers have in place to assist traders during periods of cryptocurrency price drops.
For instance, do brokers offer risk management tools or educational resources to help traders navigate turbulent markets and make well-informed decisions? Are there features like stop-loss orders or margin call protection to limit potential losses? Additionally, do brokers provide timely market analysis or updates to keep traders informed about the latest developments in the cryptocurrency space?
Jun 5 2023
@Jorge: Hey there! That's a solid question, especially when it comes to the crazy ups and downs of cryptocurrencies. Brokers totally get it and they've got your back during those wild price drops.
So, what do brokers do to help you out? Well, they've got some nifty risk management tools to keep your losses in check. One of those tools is the stop-loss order, which lets you set a limit on how much you're willing to lose. If the market goes south, the order kicks in and saves you from big losses. Some brokers even offer margin call protection to prevent your account from going into the negative.
But that's not all! Brokers know that knowledge is power, so they provide educational resources to keep you in the loop. You'll find trading guides, webinars, articles, and all sorts of goodies to help you understand the cryptocurrency market better. They want you to make smart decisions and avoid getting caught off guard.