Crypto Bridges are Vulnerable AF
Nomad crypto bridge loses $200 million in ‘chaotic’ hack
Illustration by Alex Castro / The Verge
Hey Guys,
I’m an accountability journalist with regards to the fraud, pump and dumps, NFT scams and moreover the failed promised that is most of crypto and blockchain. Web3 and crypto media is extremely skewed and not what I would consider real journalism.
Typically its foreign actors like North Korea who are blamed for these “Bridge” hacks.
So what’s going on?
Cross-chain token bridge Nomad fell victim to a series of exploits that drained almost all funds on Monday August, 1st, 2022.
In a matter of two hours on Monday evening, the total value of crypto assets held on Nomad dropped from $190.3 million to $11,815 as of early Tuesday morning New York time.
The first sign of trouble began at about 9:23 pm UTC.
The Nomad bridge allowed token transfer between Ethereum (ETH), Avalanche (AVAX), Evmos (EVMOS), Moonbeam (GLMR), and Milkomeda C1 blockchains.
The Harmony hack is being blamed on the Lazarus Group (North Korea) according to preliminary analysis. That was $100 million in June, 2022.
This is even bigger!
samczsun — a researcher at the crypto and Web3 investment firm Paradigm explains:
Nomad.xyz
In an unprecedented event, a hacker attacked the bridge and was followed by hundreds of other addresses replicating the attack systematically.
This is Nomad’s website:
Sorry bro, we’re not so optimistic right now!
Nomad's hack marks at least the third prominent bridge protocol to be hacked so far this year.
I thought blockchain tech was supposed to help with security?
Crowd-Looting in Web3
A further post-mortem from blockchain security auditing firm CertiK noted that this dynamic created its own momentum, where people who saw funds being stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what one Twitter user described as “the first decentralized crowd-looting of a 9-figure bridge in history.”
Those not chaos, it’s decentralized theft!
This angers me! Crypto was once portrayed as a way to democratize finance. These brotherhoods of young people and often fraudulent founders exploit and raid each other.
I guess we’re all just nomads on the way to dystopia, huh?
a16z’s Ideological Warfare
In a more optimistic take, Nassim Eddequiouaq, crypto CISO at Andreessen Horowitz, suggested the funds could be reclaimed from the “whitehats that drained preventively,” though the identities of those that obtained the funds from Nomad appear to be largely unknown.
That’s called damage control on the PR.
Would you Steal from a Brother?
Apparently if you hang out in Crypto Discords, you were motivated to share in the looting! This is despicable conduct.
Over the following hours, the attacks took $190.7 million worth of WBTC, USD Coin (USDC), Wrapped Ether (WETH), and several other tokens.
Decentralized Crowd-Looting
Crypto has such fine ethics. Unlike other crypto exploits where only a few addresses are directly tied to the hack, hundreds of addresses were responsible for draining the Nomad bridge of almost all the $190.7 million locked in it.
I don’t know guys, this is sort of sketchy.
What is Nomad Bridge?
Nomad is a bridge, a protocol that allows you to move tokens between blockchains, in this case, Avalanche, Ethereum, Moonbeam, Evmos, and Milkomeda C1.
A few days before the hack, Nomad announced that several major investors like Coinbase Ventures and Polychain Capital participated in the seed round that raised $22 million.
More than $1 Billion Stolen in 2022
Bridges are software that enable different types of blockchains and their respective tokens to interoperate, rather than work in silos.
They have become frequent victims of hacks in recent years, with more than $1 billion stolen from bridges in 2022, according to a June report by forensics firm Elliptic.
According to the Rekt database, $1.2 billion in crypto assets were stolen in the first quarter of 2022 – 80% of which came from bridges.
It’s not just toy money, real people are losing their life savings in these things.
Full of bad endings.
This year, just two hacks alone have accounted for almost a billion dollars of stolen funds: in February, the Wormhole bridge platform was hacked for $325 million after a hacker spotted an error in open-source code uploaded to GitHub and exploited it. Then, in March, a hacker stole around $625 million from the Ronin blockchain, which underlies the Axie Infinity crypto game.
They sounds like places from Lord of the Rings. But it’s all part of the Web3 Decentralized wonderland where people go to YOLO and FOMO.
Then in Harmony’s Horizon was drained of $100 million in June and now this in August. Not a great year for crypto-security crypto-punks.
Long live the Bitcoin Elite and the blockchained.
But is it even worth covering crypto fraud? It’s so pervasive now. Babel Finance, the Hong Kong-based crypto lender that froze withdrawals last month, incurred “massive” losses while using customer funds for its own proprietary trading, according to a restructuring plan seen by Bloomberg.
You cannot make this stuff up.