$250 million worth of cryptocurrency leaked in attack on Nomad's token bridge

Nomad, which works on a 'token bridge' that enables interoperability by moving tokens between independent blockchains, was attacked and virtual currency equivalent to about 190.7 million dollars (about 25.3 billion yen) was stolen. became clear.

Hackers abuse 'chaotic' Nomad exploit to drain almost $200M in crypto | TechCrunch
https://techcrunch.com/2022/08/02/nomad-chaotic-exploit-crypto/

1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes ???? pic. twitter.com/Y7Q3fZ7ezm

— samczsun (@samczsun) August 1, 2022

According to early reports, Nomad's token bridge was actively hacked around 6:37 on August 2, 2022, and Wrapped ETH (WETH) and Wrapped Bitcoin (WBTC) began to be stolen.

Nomad bridge getting rugged??? Looks very very sus pic.twitter.com/nvtMIjf0rD

— Spreek (@spreekaway) August 1, 2022

As time went on, other tokens such as Ethereum (ETH) and USD Coin (USDC) were stolen, and at 9 o'clock on the same day, only $ 782.04 (about 100,000 yen) remained in the wallet.

how it started vs how it ended

the most valuable remaining asset is $300 worth of CharlieCoin

rip pic.twitter.com/E26rBY8LPG

— foobar (@0xfoobar) August 2, 2022

At 8:25 a.m., Nomad tweeted that he had 'confirmed an incident' and had begun an investigation.

We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.

— Nomad (⤭⛓????) (@nomadxyz_) August 1, 2022

At the time of writing the article, Nomad did not reveal the cause of the hacking, but according to experts, it is said that 'the transaction was in a state where it could be easily disguised'.

According to samczsun, a researcher at investment firm Paradigm, a recent update to one of Nomad's smart contracts makes it easier for users to fake transactions. When a user transfers funds from one blockchain to another, Nomad does not verify the amount, and Nomad does not verify the amount, allowing users to withdraw funds that do not belong to them. It seems that

Adrian Hetman, technical lead at Immunefi, which provides Web3's bug bounty program, has come to the same conclusion: 'This hack is like using a checkbook to withdraw money from a bank, and Nomad is using the check itself.' We only care about whether we have enough money, we didn't verify that we actually have enough money.'

Furthermore, this time the attacker was not a lone culprit, but multiple people. The hackers who heard the first hacking were able to imitate the attack by copying the original transaction and changing some values, according to a survey , more than 41 different addresses accounted for 80% of the total. It is said that he was stealing money.

At the time of writing the article, Nomad said, ``We are working around the clock to deal with this situation.Our goal is to identify the accounts involved and track and recover the funds.'' is.

Update: We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.

1/2

— Nomad (⤭⛓????) (@nomadxyz_) August 2, 2022