Nomad, a cross-chain bridge that allowed users to send and receive tokens between different blockchains, was exploited in early August for over $190 million, or about the entirety of its token reserves.
The Coinbase research shows some 88% of all addresses that conducted the exploit were identified as “copycats” that together stole about $88 million in tokens from the bridge.
“The majority of copycats used a variation of the original exploit by simply modifying targeted tokens, amounts and recipient addresses,” Coinbase researchers said.
“While the majority of valuable tokens were claimed by just two of the original exploiters’ addresses, hundreds of others were able to claim part of the bridge’s holdings,” the researchers added.
Nomad did not return requests for comment at press time.
On Twitter, Paradigm researcher @samczsun explained that a recent update of one of Nomad’s smart contracts made it easy for users to spoof transactions, as previously reported.
This meant users were able to withdraw money from the Nomad bridge that didn’t actually belong to them. And unlike some bridge attacks, where a single culprit is behind the entire exploit, the Nomad attack was a free-for-all.
“... [Y]ou didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it,” @samczsun said in a tweet in early August.
Such a scenario allowed early observers of the exploit to merely copy the attacker’s code, add their addresses and broadcast the changed code to the network in order to steal funds from Nomad.
This also caused the original exploiters “to compete against hundreds of copycats” for their attack, the Coinbase researchers pointed out.
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.