Nomad bridge suffered a chaotic exploit due to smart contract vulnerability. Attackers stole tons of ETH, FXS, DAI, CQT, WBTC tokens for ~$152M (~80%). The exploiter laundered stolen funds and moved $11 million into Torndao.cash.
In April, Coinbase, OpenSea, Crypto.com, and Polygon invested $22 million in Nomand million at a $225 million evaluation for “security-first interoperability.” Now, Nomand has suffered one of the most significant exploits ever.
How the Attack Unfolded?
Nomand is a cross-chain token bridge allowing users to send and receive tokens between blockchains. For example, send tokens from ERC20 to TRC20 and vice versa.
The exploit happened due to a vulnerability in bridging functionality. Bridge works by locking cryptocurrency in a smart contract on Chain A and then issuing the cryptocurrency in “wrapped” form on Chain B. Tokens locked in Chain A were sabotaged, and there was nothing to back up the wrapped tokens.
The Nomad team initialized the trusted root to be 0x00. While a common practice, this smart contract vulnerability auto-proved every message. The hack was chaotic and didn’t even require specific knowledge of coding to exploit the vulnerability, “All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
Nomand Response: White Hackers Come to Rescue
As part of their investigation/recovery process, Nomand partnered with TRM Labs and law enforcement to trace stolen funds. They also are working on technical fixes, but nothing substantial yet. Their recovery efforts seem pretty productive.
Nomand called the community of white hat hackers and ethical researchers safeguarding ETH/ERC-20 tokens to return stolen funds to their wallet. So far, Nomand has recovered $16.6 million, and just five ethical hackers returned $11.2 million. This is a noble example of how white hat hackers are helping developers mitigate the aftermaths of hacks. Nomand team also pledged to be more active and consistent in communications with the community in the future.
What is Tornado.cash?
We often see that hackers use crypto mixers to flee with funds. Services like Tornado.cash are cryptocurrency tumblers. Their purpose is to improve TX privacy. Crypto Tumblers hide the history of TX. Alternatively, anyone would see TX details on a block explorer like Etherscan. Tumblers work by breaking the on-chain link between source and destination addresses. We can confidently say that the Nomand Bridge attacker moved funds using Tornado.cash because crypto tumblers do not guarantee absolute anonymity as they only secure on-chain privacy. An educated guess can link a deposit to a withdrawal, mainly if they occur on the same day.