Today, the Nomad bridge was exploited for $190m, making it the 4th biggest DeFi hack in history. It's also being dubbed as the "first decentralised hack", with users snatching funds via a simple copy and paste trick. Here's a breakdown of what happened. 👇
1. Nomad is a cross-chain bridge which offers asset transfers between Ethereum, Avalanche, Moonbeam, Evmos, and Milkomeda. Today, it was hacked for $190m - seeing their TVL plummet from $190m to just $12,401.
2. @CertiK's incident analysis examined the original code, and found that: "a routine upgrade allowed verification messages to be bypassed on Nomad." Attackers abused this to copy/paste transactions and drained the bridge before intervention.
3. This technical explanation by @samczsun summarises the situation well: The “committedRoot” was set as zero, meaning the attackers were able to bypass the message verification process.
4. After the initial attacker identified the exploit, users jumped on the bandwagon by essentially copying and pasting the original code with their own wallet addresses.
5. @0xfoobar labelled it the "first decentralised crowd-looting."
6. The hack was conducted by multiple parties with no direct affiliation.
7. Funnily enough, apparently the hackers were unskilled, and if they wanted, could've stolen all the funds with a single transaction.
8. There were multiple "white hat" hackers who stepped in and "stole" funds to safeguard Nomad's assets. Although it's not clear what % of assets were white vs black hats, this graphic attempts to break it down:
9. Weirdly, Nomad's initial response didn't address the root issue, and instead decided to focus on a random "impersonator".
10. Later, they issued an official update, stating that they are "working around the clock to address the situation".
11. Over the past 12 months, $1.3b+ have now been stolen from bridges. This clearly highlights the fundamental vulnerability of bridges in crypto, and the need for interoperable/native ecosystems which aren't prone to exploits.
12. Time and time again we are reminded of these flaws, as famously (and perhaps prophetically) highlighted by @VitalikButerin 6 months ago on the $ETH forum: