One attacker and hundreds of copycats looted the Nomad bridge for over $190 million; few did the right thing.
Decentralization is a hot-button topic in 2022.
To some, it seems like the solution to a variety of issues plaguing the so-called web2 ecosystem, such as the monopolization of social media, the centralized control over the flow of information, and bad data privacy and data monetization practices. Proponents of distributed blockchain technology offer web3 as the decentralized solution to these problems, but web3 has some kinks to work out before it can replace the established infrastructure of web2.
One of those kinks involves exploitable smart contracts, a $190 million liquidity pool, and simple human nature. This is the full story behind the Nomad Bridge Hack of August, 2022.
The Nomad Bridge Hack Timeline
August 1, 2022:
Ethereum block 15259101 at 21:32:31 UTC contains four transactions at indices 0, 1, 3, and 124.
Each transaction is a fraudulent withdrawal from the Nomad bridge for 100 WBTC (~$2.3M at the time).
An attacker has found a bug in the smart contract that verifies Ethereum transactions on the bridge, and it’s as easy as copy/pasting the fraudulent transaction details and replacing the receiving wallet address with one’s own to replicate the attack.
Here’s Nomad’s post-mortem for the technical details about the exploit method.
Needless to say, pandemonium ensued.
Aug 2, 2022:
Within hours of the initial attack, hundreds of similar attacks occurred for a total of 960 transactions with 1,175 individual withdrawals from the bridge, according to an after-the-fact Twitter thread by Nomad.
The liquidity in the Nomad Ethereum bridge wallet was drained from ~$190M to $16,573.
Since it was so easy to replicate, you can imagine the dilemma some people were in when they realized they could copy the attack; others did, however, realize they could take the funds for safekeeping and then return them when the exploit was patched. This was a very risky move because, regardless of intent, they still committed theft and broke multiple cybercrime laws.
Only experts in digital asset recovery and cybersecurity professionals who know what they’re doing should take these kinds of actions.
Aug 3, 2022:
Nomad begins the funds recovery process and shares an address for white hats to return stolen funds to.
Aug 4, 2022:
Within 24 hours, Nomad has already recovered $16.6M, and they publish the addresses of some of the white hats who contributed to the asset recovery efforts alongside the amount of crypto each wallet was safeguarding.
Aug 5, 2022:
Nomad announces they’re working with the TRM Labs cybersecurity team, and states that many of the attackers used traceable addresses with identifying information attached.
They also announce a 10% bounty on the return of stolen funds, and promise not to pursue legal action against those who cooperate.
After one white hat returned $9.4 million worth of crypto, Nomad made another update announcing they had collected $31.8M so far.
From August 5th onward, Nomad would pursue the rest of the assets by working with crypto investigators, law enforcement, and the crypto community at large to entice copycat hackers to return the funds they took and to track down the ones who don’t cooperate.
They announced on August 30th they had engaged the Chainalysis Crypto Incident Response team for advanced blockchain tracing and to help identify the hackers.
Unsurprisingly, white hats who returned 90%+ of the stolen funds were awarded with a free NFT from Metagame, and also 100 FF tokens from Forefront.
This was a nice gesture and a unique incentive to offer, but clearly it didn’t work as well as they’d hoped.
As of their most recent update on September 27th, they had recovered just $34.1 million (not adjusted to reflect the cost of the assets at the time of the attack).
That number is however expected to rise through future legal action and recovery processes based on their investigations and working with law enforcement.