$250 million worth of cryptocurrency leaked in attack on Nomad's token bridge

Nomad, which works on a 'token bridge' that enables interoperability by moving tokens between independent blockchains, was attacked and virtual currency equivalent to about 190.7 million dollars (about 25.3 billion yen) was stolen. became clear.

Hackers abuse 'chaotic' Nomad exploit to drain almost $200M in crypto | TechCrunch

According to early reports, Nomad's token bridge was actively hacked around 6:37 on August 2, 2022, and Wrapped ETH (WETH) and Wrapped Bitcoin (WBTC) began to be stolen.

As time went on, other tokens such as Ethereum (ETH) and USD Coin (USDC) were stolen, and at 9 o'clock on the same day, only $ 782.04 (about 100,000 yen) remained in the wallet.

At 8:25 a.m., Nomad tweeted that he had 'confirmed an incident' and had begun an investigation.

At the time of writing the article, Nomad did not reveal the cause of the hacking, but according to experts, it is said that 'the transaction was in a state where it could be easily disguised'.

According to samczsun, a researcher at investment firm Paradigm, a recent update to one of Nomad's smart contracts makes it easier for users to fake transactions. When a user transfers funds from one blockchain to another, Nomad does not verify the amount, and Nomad does not verify the amount, allowing users to withdraw funds that do not belong to them. It seems that

Adrian Hetman, technical lead at Immunefi, which provides Web3's bug bounty program, has come to the same conclusion: 'This hack is like using a checkbook to withdraw money from a bank, and Nomad is using the check itself.' We only care about whether we have enough money, we didn't verify that we actually have enough money.'

Furthermore, this time the attacker was not a lone culprit, but multiple people. The hackers who heard the first hacking were able to imitate the attack by copying the original transaction and changing some values, according to a survey , more than 41 different addresses accounted for 80% of the total. It is said that he was stealing money.

At the time of writing the article, Nomad said, ``We are working around the clock to deal with this situation.Our goal is to identify the accounts involved and track and recover the funds.'' is.

in Web Service,   Security, Posted by log1p_kr