Nomad’s $190 million bridge hack attracted 300 hackers in a feeding frenzy

Monday, the security company PeckShield informed The Block that over 300 addresses were linked to the Nomad bridge hack.

While most crypto attacks are perpetrated by lone wolves, the $190 million breach of the Nomad cross-bridge on Monday looks to have been the result of a feeding frenzy of hundreds of malicious individuals.

Yesterday, $190 million in different crypto assets were stolen from Nomad’s cross-chain bridge after a software upgrade uncovered a severe vulnerability that enabled anybody to withdraw cash from the bridge.

The blockchain security startup PeckShield revealed to The Block today that an unidentified hacker found the flaw on Monday and promptly stole roughly $95 million. As word of the first vulnerability went across the crypto community, others hastened to help the original hacker in stealing funds.

PeckShield informed The Block that over 300 addresses had received cash from Nomad within an hour. The company estimates that 41 of them stole $152 million, or 80 percent of the stolen money, from the cross-chain bridge of Nomad.

However, they were not all awful actors. PeckShield’s study uncovered at least six addresses belonging to white hackers, or ethical hackers, who stole around $8.2 million from the bridge. It is believed that they will repay the monies.

Nomad is a cross-chain bridge that facilitates the transfer of ERC-20 tokens across Ethereum, Moonbeam, Evmos, and Avalanche. It is one of the available bridge services in the crypto space.

According to PeckShield, Nomad developers disclosed the vulnerability during an intelligent contract upgrade. The error was caused by the developers’ erroneous modification of the bridge’s smart contract and deployment of the code without sufficient auditing.

“The Nomad bridge attack is feasible because to an erroneous setup that resulted in the zero address (0x00) being identified as a trusted root, causing every message to be validated by default,” PeckShield said.

By marking 0x00 (also known as the zero address), the trusted root inadvertently disabled a smart contract check that guaranteed only legitimate addresses could receive withdrawals.

After the vulnerability was put into Nomad’s code, withdrawal applications from any address were by default deemed genuine. This indicated that anybody may take monies from the bridge.

The vulnerability does not need deep technical understanding of smart contracts. Simply update the hacker’s transaction using Etherscan, change the recipient’s address with one’s own, and submit a withdrawal request on the Nomad bridge.

Also Read: Chen Fang Is Promoted To Chief Operating Officer Of Crypto Custodian BitGo