A function irregularity on cross-chain messaging protocol Nomad gave leeway for upward of $200 million to be siphoned off the platform, according to one security expert.
Steven Walbroehl, chief information security officer at blockchain security firm Halborn, told CoinDesk TV that a recent update to Nomad’s smart contracts backfired, prompting transactions on the protocol to be automatically approved.
The result, although unclear, created a domino-like effect. “Once one person found out about it, it was a crazy mad rush of people who [could] go in there and copy the transaction and say, ‘Hey, I guess I’ll pay myself too, out of the bridge,’” Walbroehl said on CoinDesk TV’s “First Mover” program.
Nomad, which primarily serves as a bridge for users to send and receive tokens among different blockchains, told users Monday evening via a tweet that it was “aware of the incident involving the Nomad token bridge.” By then, the protocol had lost $45 million.
Two hours later, the protocol told users it was “aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds.” By midnight on Monday, the protocol had lost nearly $200 million.
Walbroehl said that a user did not need to have extensive knowledge of such things as Merkle trees (the way data is handled) or the Solidity programming language to engage in the hack. In fact, “all you had to do [was] find a transaction that worked and then replace that address with your own.”
In Nomad’s case, however, all transactions were given the green light, whether or not they were legit. The protocol uses Merkle trees to validate transactions. They are primarily “used to provide blockchain data more securely and efficiently by proving a transaction is valid.”
Walbroehl said that bridges such as Nomad are likely prone to exploits because “most often this is where all the value is stored” – and thus bridges are enticing to hackers.
“You’re going to the vaults to rob the bank, rather than trying to go out and pick everybody's wallet,” he said. “Just go right for the bank.”
The second reason Walbroehl points to is complicated programming, especially when it comes to “two different protocols.”
“If you combine high value with complicated programming and lots of errors happen, that’s where hacks come from,” he said.
Walbroehl believes that the best way to prevent future hacks “is to put defense in depth – do security audits.” In addition, he said that developers should get others to look at their code, as well as testing it on their own.
For users, Walbroehl emphasizes “being aware of the bridges or the bridges that you’re investing in.”
Nomad told CoinDesk that an ongoing investigation is underway and that law enforcement officials have also been notified.
The decentralized finance (DeFi) platform – which recently raised upward of $22 million in a seed round led by big crypto players including Coinbase Ventures and OpenSea – is the latest protocol to face a heavy-handed hack. Back in April, the gaming-focused Ronin Network faced a hack of more than $600 million.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.