Crypto token bridge Nomad drained $190M in funds in security exploit
The Nomad token bridge has experienced a security exploit that has allowed hackers to systematically drain roughly $190.7 million of the bridge’s funds over a long series of transactions, with only $651.54 left remaining in the wallet.
Since one of the most extensive hacks of Axie Infinity's Ronin Bridge Sidechain in March, Nomad’s funds stolen were denominated in Ethereum, USDC, DAI, FXS, and CQT.
"We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them," Nomad tweeted Monday afternoon.
Nomad gave no further details yet. In between some people have pointed to a configuration error in a smart contract that Nomad uses to handle messages as the cause, permitting millions to be drained from Nomad's liquidity pool.
"It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel," Sam Sun, a researcher at crypto investment firm Paradigm, tweeted. "Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign."
"It turns out that during a routine upgrade," Sun continued. "The Nomad team initialized the trusted root to be 0x00. To be clear, using zero values as initialization values is a common practice. Unfortunately, in this case, it had a tiny side effect of auto-proving every message."
The Nomad Bridge helps users to move digital assets between various blockchains, including Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).
CBW - External Analyst