Nomad ‘Crowd-Looting’ Triggers Exodus From Other Blockchains
Users have fled blockchains affiliated with Nomad, the bridge protocol that was emptied in an exploit Monday evening.
By Tuesday, users had withdrawn more than half of the value locked in Moonbeam, and one-third of the value locked in Cardano since the attack began, according to data on Defi Llama.
Bridges allow users to move digital assets between otherwise incompatible blockchains, and have proven a lucrative target for hackers.
With about $190M stolen, Monday’s hack was the third largest of 2022 and the fifth largest in DeFi history, according to a “leaderboard” maintained by crypto news website Rekt. Only the hacks of Axie Infinity’s Ronin bridge and Solana’s Wormhole bridge were larger, at $624M and $326M, respectively.
Twitter user foobar called it “the first decentralized crowd-looting of a 9-figure bridge in history.”
Experts who took to social media this week said the money was not taken by a single, capable hacker but by dozens of people who saw the crypto equivalent of an unlocked mansion and went inside to grab what they could carry out.
Nomad Bridge Hacked With $45M Stolen
Matt Gleason, a security researcher at the venture capital firm a16z, said the exploit was similar to one used to steal $80M from Qbit at the beginning of the year.
“An insecure configuration of the bridge caused a specific path to allow any transaction sent,” he wrote on Twitter, “meaning that all you need to do is ask for all the bridge’s money and you’ll get it.”
Crypto security firm Zellic detailed the bug that allowed the exploit in a Twitter thread Monday.
“This vulnerability was so severe that even unsophisticated attackers could weaponize it, instantly,” Zellic tweeted. “All they had to do was change the address of the recipient.”
At least six good samaritans — known in industry parlance as white hat hackers — were able to squirrel away more than $8M for safekeeping before others could steal it, according to crypto security firm Peckshield.
Protocols that used the Nomad bridge saw substantial outflows in the wake of the hack. In addition to Cardano and Moonbeam, two of the thirty largest blockchains as measured by total value locked, smaller blockchains Evmos and Milkomeda also lost more than one-third of their total value in the 24 hours after the hack, according to Defiant Llama.
Dancing on Nomad’s Grave
Evmos founder Federico Kunze Küllmer took to Twitter to criticize others dancing on Nomad’s grave Tuesday.
“Even the smartest teams (dApps and L1s) can suffer from upgrade bugs. Almost all of the top @cosmos chains have in the past,” he wrote, referring to another Layer 1 blockchain. “We are coordinating directly with the Nomad team and with our community to decide on next steps.”
Representatives for Evmos and Moonbeam did not immediately respond to a request for comment Tuesday.
In a statement, Nomad said it was working with law enforcement and “leading firms for blockchain intelligence and forensics” to find and retrieve the stolen money, and thanked “our white hat friends.” Nomad co-founders Barbara Liau and Pranay Mohan did not return messages requesting comment Tuesday.
But some cast doubt on the idea the money could be retrieved.
“Nothing to be done at this time except getting funds back from whitehats that drained preventively,” Nassim Eddequiouaq, a16z’s chief information security officer, tweeted.