A function irregularity on cross-chain messaging protocol Nomad gave leeway for upward of $200 million to be siphoned off the platform, according to one security expert.
Steven Walbroehl, chief information security officer at blockchain security firm Halborn, told CoinDesk TV that a recent update to Nomad’s smart contracts backfired, prompting transactions on the protocol to be automatically approved.
The result, although unclear, created a domino-like effect. “Once one person found out about it, it was a crazy mad rush of people who [could] go in there and copy the transaction and say, ‘Hey, I guess I’ll pay myself too, out of the bridge,’” Walbroehl said on CoinDesk TV’s “First Mover” program.
Walbroehl said that a user did not need to have extensive knowledge of such things as Merkle trees (the way data is handled) or the Solidity programming language to engage in the hack. In fact, “all you had to do [was] find a transaction that worked and then replace that address with your own.”
In Nomad’s case, however, all transactions were given the green light, whether or not they were legit. The protocol uses Merkle trees to validate transactions. They are primarily “used to provide blockchain data more securely and efficiently by proving a transaction is valid.”
Walbroehl said that bridges such as Nomad are likely prone to exploits because “most often this is where all the value is stored” – and thus bridges are enticing to hackers.
“You’re going to the vaults to rob the bank, rather than trying to go out and pick everybody's wallet,” he said. “Just go right for the bank.”
The second reason Walbroehl points to is complicated programming, especially when it comes to “two different protocols.”
“If you combine high value with complicated programming and lots of errors happen, that’s where hacks come from,” he said.
Walbroehl believes that the best way to prevent future hacks “is to put defense in depth – do security audits.” In addition, he said that developers should get others to look at their code, as well as testing it on their own.
For users, Walbroehl emphasizes “being aware of the bridges or the bridges that you’re investing in.”
Nomad told CoinDesk that an ongoing investigation is underway and that law enforcement officials have also been notified.
The decentralized finance (DeFi) platform – which recently raised upward of $22 million in a seed round led by big crypto players including Coinbase Ventures and OpenSea – is the latest protocol to face a heavy-handed hack. Back in April, the gaming-focused Ronin Network faced a hack of more than $600 million.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.