On August 2, Nomad bridge hinted that it was aware of the on-going exploit. Hours later came the news that the complete protocol’s funds of over $190 Million were washed off. For the uninitiated, Nomad bridge is a token bridge for cross-chains transfers among Ethereum, Avalanche, Moonbeam and Milkmeda.
Samczsun, a crypto community developer, described the hacks as “one of the most chaotic hacks witnessed by Web3.” The Crypto thieves didn’t have any technical knowledge, which is why it was chaotic, the developer explained. They only required a transaction that works. The next thing was to put their own address in place of the target address. A tweet shared in the ETH security telegram channel showed multiple transactions of funds processed out of the bridge. On the surface it seemed to be a misconfiguration in token decimals.
But after manually evaluating the Moonbeam network, Samczsun found out that the Ethereum transaction bridged 100 WBTC through some means while the Moonbeam transaction did bridge out 0.01 WBTC. This exploit was unique in terms that the transactions were executed directly and not ‘proved’. Samczun further explained that it is not ideal to process a message without first proving it. On further digging, Samczsun found a fatal flaw in the ‘Replica’ smart contract that was initialized during a routine Nomad upgrade.
Samczsun further explained that the zero hash was marked as a valid root. As its effect, the allowing messages are spoofed on Nomad. Attackers took advantage of this copy/paste transactions and rapidly exhausted the bridge in a “frenzied free-for-all.”
Nomad also got hold of the Fake addresses trying to steal the funds returned to the bridge. In just a period of a few hours, the TVL of Nomad dropped from $190.38 million to $5,336, as per the data from DeFiLama. Nomad is the latest addition in the list of high-profile exploits of crypto projects including Harmony, Wormhole and Ronin bridge.
Source: https://www.thecoinrepublic.com/2022/08/02/heres-how-nomad-bridge-lost-190m-in-another-high-profile-crypto-exploits/