A small smart contract flaw lets a large number of attackers steal the project's funds. Here's what happened behind the Nomad Bridge hack.

Massive heists continue to pollute the crypto world. Millions of dollars worth of digital currencies have been stolen from crypto firms lately. Strangely, most of those incidents no longer occurred in the same type of firm: DeFi bridges.

From the $540 million Ronin Bridge hack story in March to the $250 million Wormhole Bridge case in February, it's hard to say that it's merely a coincidence. It appears that instead of using crypto exchanges as the main point of attack, these illicit actors now prefer to steal from DeFi bridges.

Bridges refer to the infrastructure that allows users to exchange assets between different blockchains. When a bridge swaps one coin for another, it basically "wraps" the asset so that it will be able to function on the other blockchain. So, every time an investor deposits a coin, the bridge will issue a new token to represent the wrapped coin on a different blockchain. This is why bridges must hold large reserves of various coins to back those wrapped coins. Naturally, such huge coin reserves are attracting hackers and turning DeFi bridges into main targets for crypto attacks.

In the most recent case, hackers reportedly stole nearly $200 million worth of cryptocurrency from Nomad Bridge, a crypto bridge provider that allows users to swap tokens between Ethereum, Avalanche, Evmos, Milkomeda C1, and Moonbeam. Interestingly, the Nomad Bridge case turned out to be quite simple and most of the exploiters were just copycats. What does that mean?

Nomad bridge hack


The Case of Copycats

The first suspicious transaction occurred at Ethereum block 1525801 on August 1, 2022. The attacker was able to withdraw 100 WBTC from the bridge and later swapped them for WETH and ETH. Not long after, a swarm of copycats joined the party. In just a matter of a few hours, the bridge's wallet balance dropped down from over $190 million to $16.5k. The stolen tokens were mostly USDC, followed by WETH, WBTC, and CQT.

Apparently, those new attackers or 'copycats' had found a way to copy the original hacker's transaction call data. They simply replaced the original address with their own and the transaction would succeed; as easy as CTRL+C, and CTRL+V. As a result, over $186 million of ERC-20 tokens were drained from the Nomad Bridge between August 1 and August 2, 2022.

Nomad first acknowledged the incident on Twitter. According to the tweet, they were "working hard to address the situation". The company has also notified law enforcement and retained leading firms for blockchain intelligence and forensics to help them solve the case. Still, the shock wave was inevitable in the global crypto community.


The Root Cause

According to Nomad, the hack was caused by the implementation of a smart contract upgrade called the Replica contract that took place in June 2021. There is a flaw in the system that makes it unable to authenticate messages properly, so any message can be modified as long as it hasn't been processed. As a result, contracts relying on the Replica upgrade for authentication suffered a critical security failure.

The first attacker then took advantage of such a vulnerability by arranging a message that was able to trick the bridge into sending the stored tokens without proper authorization. Once the code is cracked, the rest of the hackers can easily copy the trick and extract the funds to their pockets.

In total, about 88% of the hackers' addresses were identified as copycats. They used a number of variations of the original message by modifying the targeted tokens, amounts, and recipient addresses.


The Aftermath

As a result of the system's vulnerability, over $190 million was drained from the Nomad Bridge. On August 3, 2022, the co-founder of Nomad and his team put up a request for the hackers to return the funds to a specific recovery address. Nomad also announced an up to 10% bounty to those who return at least 90% of the funds they exploited and let them keep the rest. The company won't take any legal action either against those who returned the funds.

As of August 9, about 17% of the stolen funds have been returned to the recovery address. Most of the returns happened a few hours following Nomad's request and continued for the next couple of days, although the number slowly began to thin out than when the address was first posted.

What's interesting is that the majority of the returned funds are in USDC, followed by USDT, WBTC, DAI, CQT, and WETH. It is worth noting that the original hackers mostly took WBTC and WBTH. The fact that most of the returned funds came in the form of USDC and USDT suggests that most of the funds came from later-stage copycat hackers.

Hackers who fully send the stolen funds back to the recovery address are referred to as white hats. Some people believe that the white hats only stole the funds because they were trying to protect the funds from malicious actors. Meanwhile, those who only partially send the funds back are called grey hats and those who don't return the funds at all are called black hats.

So far, more than $36 million of the stolen funds have been recovered, thanks to the white hats. The rest of the money either remained untouched or has been moved onward. It's still unclear whether the black hat hackers are just waiting for the heat to die down or they are still holding on for a better bounty from Nomad.


Why Hackers are Interested in Bridges

There are several possible reasons why crypto scammers and hackers are so attracted to DeFi bridges lately:

  • Huge profit. As mentioned above, DeFi bridges hold a lot of money, similar to crypto exchanges. Instead of using the traditional social engineering attack and exploiting security design issues, these new hackers tend to target specific software loopholes, as in most bridge hack cases.
  • Easier and cheaper. It's considered easier to use assets that are not native to the network. Bridges allow malicious actors to transfer funds more quickly at a lower cost. They can also get exposure to assets that aren't native to the network while gaining the benefits of the other network.
  • Consolidation. Hackers can combine funds from different networks, which makes the transaction easier to handle and launder onwards. This also adds a layer of complexity to trace the funds, so they can mask their traces a bit better.
  • Access to a wider ion of dApps. Different dApps have different functions, so hackers can get more creative in using various tools when executing their plans.


What's Next?

If you were a Nomad client and you had put some funds in the bridge, unfortunately, there's nothing you can do now. The wisest thing to do is to wait for the official instructions from the Nomad team. Some people might message you and promise to return your funds. These are scammers, so do not interact with them.

To prevent losing more money in the future, here are some tips to keep in mind:

  • Understand and stay up to date with the security policies of the protocols that you use.
  • Regularly review any contract approvals that you don't need.
  • When adding liquidity, don't put all of your money in a single protocol or store them all in one bridge.
  • Search up and block crypto addresses that have been involved with illicit activity in the past.
  • Monitor the inputs and outputs of protocols that have been abused by illicit actors before.
  • Work with blockchain intelligence providers to immediately identify when illicit funds have moved from one network to another.


The Future of DeFi Bridges

The Nomad Bridge hack is now the fourth largest DeFi hack in history and the third biggest one in 2022, following the Wormhole Bridge hack in February and the Ronin Bridge hack and in March. It seems that crypto hacks have become popular these days, considering that over $1 billion in digital assets have been stolen from the start of 2021 through March of this year. This shows that there are loopholes scattered in the blockchain system, waiting to be discovered by malicious hackers.

The growing number of bridge attack cases only adds to the security concerns within the crypto community. This might explain why crypto markets are often going bearish these days. Although crypto transactions remain popular, there's no guarantee that they will stay that way in the following years.

Nevertheless, one thing to remember is that in every industry, there are always crashes and burns. To some extent, these hacks are even "necessary" to improve the existing security protocols. We can think of it as just a part of the process of building strong and lasting mechanisms.

In order to prevent getting caught in a troublesome hack case and losing money, it's important to take precautionary actions and protect your funds. Don't put all your eggs in one basket to minimize the risks. Lastly, always make sure to put your funds in a reliable company with good security measures.