Nomad Crypto Exploit Let People Steal Millions by Copy-Pasting a Script

Bad code has resulted in £190 million being drained from Nomad’s bridge, a cryptocurrency protocol that allows people to move crypto coins between different blockchains. In what’s being called a “decentralized robbery” a flaw in Nomad’s coding allowed people to steal money they didn’t own just by copy and pasting a script.

All blockchains may be indistinguishable to the uninitiated, but crypto traders often utilize several different ones, like Ethereum, Avalanche, Solana and so on. Trading tokens between different blockchains — like taking bitcoins and using them on Ethereum’s blockchain, or taking ether and using them on Solana — can actually be quite complex.

To service this demand, several companies have created “cross-chain” bridges. You deposit cryptocurrency in a smart contract on one blockchain and “bridge” those tokens to a different blockchain.  The key point, as it pertains to Monday’s exploit, is this whole process relies upon cryptocurrency being locked into the smart contract.

A single ether deposited into an Ethereum smart contract acts as collateral for the ether the user receives on, say, Avalanche’s blockchain. Nomad had over £190 million of people’s funds in its smart contract before the exploit. At the time of writing, only £9,000 remains locked in the smart contract. 

Unfortunately, an “upgrade” to that smart contract led to an exploit that anyone could take advantage of. Decentralized finance being what it is — anonymous and notoriously degenerate — meant that £190 million was sucked out of the protocol in a number of hours. 

Messages popping up in public Discord servers of random people grabbing £3K-£20K from the Nomad bridge – all one had to do was copy the first hacker’s transaction and change the address, then hit send through Etherscan. In true crypto fashion – the first decentralized robbery. https://t.co/jWV9AamBer

— FatMan (@FatManTerra) August 2, 2022

Nomad bridge getting actively hacked.

WETH and WBTC being taken out in million-dollar increments. Withdraw all funds if you can, still £126m remaining in the contract that’s likely at risk pic.twitter.com/oDo7oT1glW

— foobar (@0xfoobar) August 1, 2022

This attack against Nomad was something, I’ve never seen before. People started replicating the attack after a few minutes, while the initial attacker drained out the pool systematically.

At some point, random dudes with ENS names were getting a million USDC per transactions. pic.twitter.com/KgBxAfLHtJ

— raz (@leadinscientist) August 1, 2022

You’d need to know Ethereum’s development language, Solidity, to understand the technical aspects. The gist is that the smart contract broke. Certain transactions that shouldn’t be approved could be pushed through and replicated.

It appears suspicious transactions began occuring at around 9:13 a.m. PT, when several wallets removed 100 bitcoin (£1.7 million) from the bridge. All anyone had to do from there was copy and paste the exact script that scammer used, replacing the original exploiter’s wallet number with their own, and push it through.

Others took funds out in ether and the USDC stablecoin, among other tokens. “This is why the hack was so chaotic,” said Sam Sun, a researcher for crypto investment firm Paradigm, in a tweet thread deconstructing the exploit. “You didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”

“Easy as CTRL-C, CTRL-V,” tweeted another blockchain sleuth. Since most people were copy and pasting information, funds were funnelled out in identical chunks. There were hundreds of transactions that saw people withdraw £202,440 in the USDC stablecoin at a time, for instance.

In the blockchain equivalent of “America’s Dumbest Criminals” types who rob gas stations with their nametag on, some people exploited their smart contract with public wallet addresses that are designed to be traceable. Many sent the funds back. Others claimed to be acting in good faith, withdrawing funds that they pledged to protect and send back when the smart contract was secure.

“We are aware of the incident involving the Nomad token bridge,” Nomad said in a statement on Twitter. “We are currently investigating and will provide updates when we have them.”

Nomad was contacted for comment but did not immediately respond. 

Tags:

eve-lom listed on couponmatrix.ukfenty-beauty listed on couponmatrix.ukhamleys listed on couponmatrix.uknars listed on couponmatrix.ukrituals listed on couponmatrix.uktesco-mobile listed on couponmatrix.uk
eve-lom listed on couponmatrix.ukPurify, nurture and restore with Eve Lom skincare – designed by trade professionals for phenomenal, fast-acting treatment. With an ethos which derives that truly radiant skin starts with a proper cleanse, give their signature cleansers a try for a fraction of the price with an Eve Lom discount code from Groupon. Offering an array of morning masks, moisturisers, creams and balms to keep your skin feeling soft and soothed without fail, start your skincare revival with the help of Eve Lom today.
fenty-beauty listed on couponmatrix.ukFenty Beauty is probably the coolest beauty brand around. It’s cruelty-free, was created by Rihanna herself and has been commended for its diverse foundation shades and celebration of all kinds of beauty. Whether you want a fresh, no-makeup makeup look or bold eyeshadow game, Fenty Beauty has it covered with plenty of viral and TikTok trending products to explore. Add a Fenty voucher to your purchase or check out the Fenty sales to find your favourites for less – we’re tracking the best Fenty offers here at Groupon!
hamleys listed on couponmatrix.ukThe world’s oldest and grandest toy shop, Hamleys is the hub for household imagination. Home to toys and games fit for all ages – including LEGO, science kits, figurines, board games, puzzles and more – find your fun and buy it on a budget with the latest Hamleys discount code. Complete with sweets, books, clothing and gifts for an all-inclusive shopping experience, see why Hamleys has stood the test of time as the kingpin of the toy box.
nars listed on couponmatrix.ukNARS Cosmetics was set up by French photographer Francois Nars to offer a choice of makeup just as perfect under the scrutiny of the camera as it is in real life. NARS’s range of makeup, cleansers, toners, and colour palettes bring the glamour of fashion photo shoots to everyone, so pick up a NARS discount code and get your cosmetics for less. With a focus on quality, this chic cosmetics company has everything you need to really glow.
rituals listed on couponmatrix.ukLife is made up of little things. That's why Rituals provides you with beauty products, skincare and fragrances derived from sources all over the Eastern world. With ranges including, the Happy Buddha, Dao, Karma, Cleopatra and many more, you can enjoy a sensuous and incredible start to every day. With Rituals discount codes you can enjoy the product range for less. Love feeling your best with the help of the Rituals range.
tesco-mobile listed on couponmatrix.ukJoin the award-winning service from Tesco Mobile and make the switch to an easier, simpler, and more enjoyable tariff. Voted the Which? Recommended Provider for 9 years running, they’re definitely doing something right! They offer loads of different options, so the whole family can get connected and with your Tesco Mobile voucher, you can do so for less. Whether it’s picking up your child’s first phone, or creating a flexible contract to suit you, Tesco Mobile are the answer.