Skip to main content

Nomad crypto bridge loses $200 million in ‘chaotic’ hack

Nomad crypto bridge loses $200 million in ‘chaotic’ hack

/

A smart contract bug let a large number of attackers drain the project’s funds

Share this story

Illustration by Alex Castro / The Verge

After a few quiet months, it’s happened again: another blockchain bridge hack with losses in the hundreds of millions of dollars.

Nomad, a cryptocurrency bridge that lets users swap tokens between blockchains, is the latest to be hit after a frenzied attack on Monday, which left almost $200 million of its funds drained.

The hack was acknowledged by the Nomad project’s official Twitter account on Monday, August 1st, initially as an “incident” that was being investigated. In a further statement released early Tuesday morning, Nomad said that the team was “working around the clock to address the situation” and had also notified law enforcement.

In another Twitter thread, samczsun — a researcher at the crypto and Web3 investment firm Paradigm — explained that the exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves.

“This is why the hack was so chaotic,” samczsun wrote. “[Y]ou didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”

A further post-mortem from blockchain security auditing firm CertiK noted that this dynamic created its own momentum, where people who saw funds being stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what one Twitter user described as “the first decentralized crowd-looting of a 9-figure bridge in history.”

In a more optimistic take, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested the funds could be reclaimed from the “whitehats that drained preventively,” though the identities of those that obtained the funds from Nomad appear to be largely unknown.

Blockchain bridges are now routinely the targets of the most high-profile hacks in the cryptocurrency industry due to the large value of assets they often hold and the complexity (and thus potential vulnerability) of the smart contract code they run on. This year, just two hacks alone have accounted for almost a billion dollars of stolen funds: in February, the Wormhole bridge platform was hacked for $325 million after a hacker spotted an error in open-source code uploaded to GitHub and exploited it. Then, in March, a hacker stole around $625 million from the Ronin blockchain, which underlies the Axie Infinity crypto game.

“Protecting cross-chain bridges from lucrative attacks such as this are one of the most urgent problems facing the Web3 community,” said Professor Ronghui Gu, CEO and co-founder of CertiK. “Their security posture needs to be iron clad and is where many of the new developments in Web3 security will be most needed.”

Today’s Storystream

Feed refreshed 7:29 AM UTC Not just you

T
Youtube
Thomas Ricker7:29 AM UTC
Table breaks before Apple Watch Ultra’s sapphire glass.

”It’s the most rugged and capable Apple Watch yet,” said Apple at the launch of the Apple Watch Ultra (read The Verge review here). YouTuber TechRax put that claim to the test with a series of drop, scratch, and hammer tests. Takeaways: the titanium case will scratch with enough abuse, and that flat sapphire front crystal is tough — tougher than the table which cracks before the Ultra fails — but not indestructible.


E
Twitter
Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.


E
Twitter
Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.


E
External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.