Cross-chain bridge Nomad TVL went from US$190 million to US$650 in a matter of hours. This is by far one of the most chaotic crowd-looting exploits in DeFi history.
The first attack started when a transaction managed to remove 100 wrapped Bitcoin (WBTC) worth about US$2.3 million from the bridge.
Shortly after this incident happened, many community members decide to copy the attack and they successfully drained the protocol.
How did it happen?
There was a fatal flaw within the smart contact. DeFi and NFT founder, 0xfoobar, managed to find the smart contract security flaw that led to the exploit.
During a routine upgrade, the team accidentally marked the zero root (0x00) as an acceptable root when they called the `initialize()` function. The zero root allowed every message to be auto-proved by default.
Even without any prior coding knowledge, users could just simply copy the original hacker’s transaction calldata and replace the wallet address to exploit the protocol.
While a couple of those exploiters have publicly come forward and offered to return their funds, the majority of the fund is as good as gone.
Earlier this year, Nomad managed to raise US$22.4 million in seed funding at a US$225 million valuation. The funding saw participation by some of the biggest names in Web 3.0.
The seed round was led by crypto investment firm Polychain and it is joined by the venture capital arm of crypto exchange Coinbase, non-fungible token (NFT) marketplace OpenSea, Crypto.com Capital, crypto market-maker Wintermute, decentralized finance (DeFi) platform Gnosis and the Polygon blockchain.
Vitalik sounds alarm about the security of cross-chain bridges
Just the start of the year, Vitalik Buterin, the co-founder and chief scientist of Ethereum, sounded the alarm over the security of cross-chain bridges, warning of their vulnerability in the event of 51% attacks.
While the burgeoning cross-chain ecosystem has allowed users to mitigate the expense of using Ethereum’s mainnet, cross-chain protocols were among those hit hardest by hackers in 2021.
THORChain suffered multiple exploits, and Poly Network was hit by the largest DeFi hack on record worth US$600 million (although the funds were eventually returned).
Vitalik emphasized the fundamental security limits of bridges and argues that blockchains can “maintain many of their guarantees even after a 51% attack,” contradicting popular perceptions that “everything breaks” for a network in the event of a successful 51% attack.
[Editor’s Note: This article does not represent financial advice. Please do your own research before investing.]
Featured Image Credit: Chain Debrief