Nomad token bridge suffered an exploit on August 1 that allowed several people to drain the bridge of $190.7 million.
The first sign of trouble began at about 9:23 pm UTC after a hacker sömürülen the bridge to withdraw 100 WBTCs worth $2.3 million.
Several others copied the code of the first suspicious transaction and changed the address to participate in draining the funds.
1/ Nomad, Web150'ün şimdiye kadar gördüğü en kaotik hacklerden birinde 3 milyon doların üzerinde bir paraya çekildi. Bu tam olarak nasıl oldu ve temel neden neydi? Seni sahne arkasına götürmeme izin verir misin? pic.twitter.com/Y7Q3fZ7ezm
- samczsun (@samczsun) Ağustos 1, 2022
The Nomad bridge allowed token transfer between Ethereum (ETH), Çığ (AVAX), Evmos (EVMO'lar), Ay Işığı (GLMR), and Milkomeda C1 blockchains.
Messages popping up in public Discord servers of random people grabbing $3K-$20K from the Nomad bridge – all one had to do was copy the first hacker’s transaction and change the address, then hit send through Etherscan. In true crypto fashion – the first decentralized robbery. https://t.co/jWV9AamBer
- Şişman Adam (@FatManTerra) Ağustos 2, 2022
Unlike other crypto exploits where only a few addresses are directly tied to the hack, hundreds of addresses were responsible for draining the Nomad bridge of almost all the $190.7 million locked in it.
2/ Apparently there are multiple wallets involved in this hack and successfully drained the funds.
Totally 39 million dollars in USDC have been stolen in a single transaction withdrawing $202,440 multiple times from the bridge. pic.twitter.com/ciXfv3Ebpo
— The woke blunt? (@Manikumar111111) Ağustos 2, 2022
Bizarrely, some of the exploit transactions had the same value. For instance, there were over 200 transactions of exactly 202,440.725413 USDC.
Several tokens like WBTC, WETH, USDC, FRAX, CQT, HBOT, IAG, DAI, GERO, CARDS, SDL, and C3 were stolen from the bridge.
Göre Oxfoobar, the attack happened due to poor operational strategy causing “bad Merkle root initialization which led to every message being proven valid by default.”
TL;DR – a poor operational strategy led to bad merkle root initialization which led to every message being proven valid by default
Rough timing as the Nomad team raised a $22 million round several months ago and recently announced significant backing https://t.co/tsPTigF8XV
— foobar (@0xfoobar) Ağustos 2, 2022
The Nomad team confirmed the exploit and claimed to be investigating the events.
Nomad jeton köprüsünü içeren olayın farkındayız. Şu anda araştırıyoruz ve elimizde olduğunda güncellemeleri sağlayacağız.
— Göçebe (⤭⛓?) (@nomadxyz_) Ağustos 1, 2022
Meanwhile, Moonbeam went into maintenance mode “to investigate a security incident with a smart contract deployed on the network.”
1/ Önemli Uyarı: Moonbeam Ağı, ağ üzerinde konuşlandırılan bir akıllı sözleşme ile bir güvenlik olayını araştırmak amacıyla Bakım Moduna girmiştir.
— Moonbeam Ağı #HarvestMoonbeam (@MoonbeamNetwork) Ağustos 1, 2022
1/ Bugün erken saatlerde, sistemi etkileyen bir güvenlik olayı yaşandı. @nomadxyz_ Moonbeam'e giden köprüler. Nomad'ın Ethereum Mainnet akıllı sözleşmesindeki varlıkların neredeyse tamamı boşaltıldı. Son güvenlik olayının Moonbeam kod tabanıyla ilgili olduğuna dair hiçbir kanıt bulamadık.
— Moonbeam Ağı #HarvestMoonbeam (@MoonbeamNetwork) Ağustos 2, 2022
Peckshield revealed that it detected 41 addresses that grabbed roughly $152 million (80%) of the stolen funds.
According to the blockchain security firm, one of the wallets belonged to the hacker who stole $80 million from DeFi platform Rari Capital and Saddle Finance.
#PeckShieldUyarı PeckShield, 41 milyon ABD Doları (~%152) tutarında ele geçirilen ~80 adresi tespit etti. @nomadxyz_ ~7 MEV Bot (~7.1 milyon $) dahil olmak üzere köprü istismarı, @Filmdenkare Arbitrum istismarcısı (~3.4 milyon$) ve 6 White Hat (~8.2M$).
ENS adlarına sahip bu adreslerin ~%10'u 6.1 milyon ABD doları alıyor pic.twitter.com/UUjk7ZiiKE—PeckShieldAlert (@PeckShieldAlert) Ağustos 2, 2022
Whitehat hackers save some of the stolen funds
While the whole thing seems like a free for all looting, available information confirms that some of those who took funds from the bridge were beyaz şapkalı bilgisayar korsanları seeking to prevent thieves from accessing the funds.
Some who drained the funds have confirmed that they plan to return them.
Bu parayı iade ediyorum, fbi lütfen sakin olun. hayır onu çalmayı planlamadım ve evet bu adresin şifreli olduğunu biliyorum
? ? ?.et
Göçebe— ???.eth (@SpaceWigger) Ağustos 2, 2022
Onlardan biri yazdı:
“This is a whitehack. I plan to return the funds. Waiting for official communication from Nomad team (please provide an email id for communication). I have not swapped any assets even after knowing that USDC can be frozen. Transferred USDC, FRAX and CQT token from other addresses in order to consolidate. I wish I could rescue more funds but it was too slow.”
Diğer have also identified as whitehat hackers and asked the team to get in touch, including someone who was able to get $1 million.
A couple of those grabbing bridge funds, some who have publicly come forward and offered to return
???.eth
Rari Capital Exploiter
darkfi.eth pic.twitter.com/2adlMl6Pj3— foobar (@0xfoobar) Ağustos 2, 2022
Source: https://cryptoslate.com/nomad-bridge-drained-of-190m-after-hundreds-of-addresses-copy-hackers-code/