Hacks with crypto thefts have been numerous in recent months. Last June, for example, a hack led to the theft of the equivalent of $100 million in crypto. In both cases, this theft of cryptoassets involves a bridge – these players specializing in the instantaneous exchange of funds between blockchains.
Nevertheless in the case of Nomad, it seems that a particularly gross error is involved. The Nomad Bridge is indeed governed by a 100% open source smart contract. It is therefore possible to directly consult the code and flush out flaws. However, a configuration error in the smart contract allowed anyone to re-validate transactions already made by changing the recipient’s address.
Massive Hack Targets Nomad Crypto Bridge
A process so simple, that it was actually not even a question of having very advanced knowledge. In fact, when Nomad users began to see funds being stolen from multiple addresses, some quickly caught on to the scheme, and attempted to recover the stolen funds using the same process as the hackers. Enough to create what somehow looks like the first mass “looting” in the history of crypto.
For his part Nomad explains on Twitter: “We are working hard to resolve the situation, have notified the authorities and have reached out to leaders in blockchain intelligence and investigations. Our goal is to identify the accounts involved and track and trace the funds. Thank you to our many White Hat friends who have acted upstream to protect the funds”.
As the firm mentions, part of the stolen sums could be easily recovered thanks to the action of certain ethical hackers. However, it is not clear at this stage the extent of the sums that could have been secured in this way. To make matters worse, according to Nomad, malicious actors are currently trying to impersonate the bridge with messages that urge ethical hackers to return the funds…to an address under their control.
Nomad points out that for now “there are no instructions [officielles] to return the sums of the bridge”. And to add: “please continue to keep them as long as we can give you the procedure to follow to make them on this Twitter thread”.