US-based crypto project Nomad has been hit by a massive hack where almost $200 million dollars have been compromised on the platform. It is said that the hackers exploited a vulnerability in the transactional call data function of the platform and exploited multiple users.
Confirming the hack, the official Twitter handle of the company tweeted out relevant details about an investigation into the matter and that more updates were to be followed. Many experts believe this to be a very different and chaotic hack than some of the earlier ones in crypto.
What is Nomad?
Nomad is a US-based crypto project focused on interoperability between different networks, which is basically a way for two blockchains to be connected. The project basically uses programmable bridges to exchange different cryptos on various blockchains in a much cheaper and more secure manner.
The company recently announced a list of investors in its $22 million funding round where venture capital firms like Polychain Capital, Crypto.com, Coinbase and Ethereal Ventures were some of the big companies pooling in the cash.
The irony of the whole situation is that Nomad was betting big on its security and touting itself as being a security-first cross-chain messaging protocol. So much so, that in January, its CEO even went out saying that it’s “secure period”.
How did the hack happen?
A security researcher who goes by the pseudonym “samczsun” on Twitter, explained the hack when “a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all.”
If you want to dive into the technical nitty-gritty of the whole hack, you can have a look at this thread from the security analyst.Experts are saying that the vulnerability was so easy to exploit other hackers could have just copied the Nomad hacker’s transaction call data and used it to hack the platform.
What’s even more bizarre is that this very vulnerability was mentioned in the audit report that was published by QSP-19 a few months ago. The hack took place in a matter of hours when the platform was drained from $200 million to nil. As per some of the tweets on Nomad’s official Twitter handle, some of the money has been withdrawn by White Hat hackers and ethical researchers to make sure the entire amount doesn’t fall into the hands of scrupulous entities.
Nomad has also asked these individuals to send the funds they have withdrawn to dedicated addresses.
Some extra caution needed
Nomad says it’s working around the clock to return the funds and has also notified law enforcement. It is also working with chain analysis/intelligence firm TRM Labs to trace the funds and identify recipient wallets to recover the funds.
It is worth knowing that more than $1.8 billion in crypto has been stolen due to these bridge hacks over the past couple of years. The fact that these bridges are deployed in such a hurry without a proper audit leads to hackers exploiting these vulnerabilities.
Even the creator of Ethereum, Vitalik Buterin, has talked about his pessimism towards bridges, as they are still some of the most vulnerable when it comes to hacks.
This breach exacerbates the whole situation for the crypto community as it might be perceived as a crypto hack (which it is not).
Crypto is going through one of its worst phases and the news of any hacks related to crypto platforms is dissuading people from investing in tech. There is a dire need to be more proactive when it comes to the development of such underlying technologies so that these vulnerabilities can be nipped in the bud.