The Nomad bridge, which links parent Evmos with Ethereum and a variety of other tokens, is the latest victim of a crypto hack. And like a number of other attacks on cross-chain bridges that have already taken place this year, the damage climbed into the hundreds of millions of dollars as the platform’s reserves were almost totally depleted.
Platform drained by crypto hack that took advantage of botched update
Calling this incident a “crypto hack” is really being at least a little generous, as no real hacking was required. Enterprising thieves noticed that an update to the smart contract that underpins Nomad had included a critical technical mistake, allowing anyone to take a valid transaction and use it to continue to authenticate transactions simply by swapping in their own wallet number.
Cross-chain bridges have had serious security issues thus far in 2022, but an incident that was essentially an even simpler version of a URL guessing attack is easily the worst from a reputation perspective. Particularly when it drained $190 million in funds, reportedly all that Nomad had on hand save a few thousand dollars in assorted coin types after about 40 attackers got done exploiting the flaw.
Prior to the crypto hack, Nomad had been in the news for positive reasons. Ironically, this was mostly due to its successful salesmanship of being the “secure” alternative for DeFi platforms, netting it a big round of venture capital funding in April. Those plans are likely taking a big hit as Nomad has recovered just $9 million of the funds thus far, with most of the rest spotted being transferred to mixing services from which it will presumably disappear forever.
Cross-chain bridges have already lost over $1 billion to crypto hacks in 2022, with more than half of that owed to the record-setting Ronin breach (about $600 million) and the breach of Wormhole (about $300 million). The attack on Nomad may well have set the new record had there been more money on hand to steal.
Cross-chain bridges continue to struggle with management issues
As is the case with Nomad, the response to crypto hacks is usually very limited in terms of options: the platforms contact law enforcement, and (if investors are lucky) try to raise money to mitigate the damage. In Nomad’s case, the latest word is that a “technical plan of action” is underway. Though the company has raised enough money that it may well be able to make all of its customers whole in time, the blow to its brand reputation from this incident is tremendous.
While breaking out of the fiat system into an unregulated world of direct transactions has natural appeal, the entire enterprise hinges on security. The vaunted impenetrability of the blockchain becomes irrelevant if the DeFi nodes at the ends of cross-chain bridges keep having serious security slipups. As the Ronin network incident demonstrated, some of the world’s most advanced state-supported hackers are now targeting and probing DeFi platforms for any weaknesses they can find and are being quite creative in their approaches.