Nomad Cryptocurrency Platform Hacked: $190 Million Lost

August 1, 2022

Summary #

On August 1, 2022, Nomad, a cryptocurrency platform, experienced a chaotic hacking incident resulting in a loss of more than $190 million. The hack occurred when multiple users took advantage of an accidental error in a recent update, allowing them to drain funds from the blockchain protocol. An investigation conducted by samczsun, the head of security at Paradigm, a web3 investment firm, revealed that one of Nomad’s smart contracts had been modified in a way that made it vulnerable to transaction spoofing. This vulnerability enabled users to transfer funds between blockchains without proper verification of the transaction amounts, leading some users to withdraw funds that were not rightfully theirs. The same conclusion was reached by blockchain audit company Zellic in its independent analysis. In response to the hack, Nomad proactively offered a reward of up to 10% for the return of the stolen funds. Those who returned more than 90% of the looted amount would be recognized as “white hat” hackers and allowed to keep the remaining portion. Nomad made it clear that no legal action would be taken against individuals who returned the funds. As a result, white hat hackers returned over $36 million to the platform, contributing to the recovery efforts.

Attackers #

The true identity of the initial attacker remains unknown, as the hack itself was a result of an error. However, it is known that a significant number of accounts exploited this vulnerability. Once other attackers became aware of the situation, they mobilized large numbers of bots to execute similar attacks.

Losses #

The hack resulted in losses of over $190 million, but ethical hackers later returned $36.2 million to Nomad’s wallet.

Timeline #

August 1, 2022 11:25 PM GMT: The project team reported that they were aware of the hack.
August 2, 2022 10:26 PM GMT: The project team stated that they informed law enforcement authorities and engaged reputable firms specializing in blockchain intelligence and forensics.
August 3, 2022 04:05 AM GMT: Nomad announced an up to 10% bounty: those who return >90% of funds.
August 5, 2022: Nomad published a detailed analysis of the root causes of the attack.

Security Failure Causes #

Smart Contract Vulnerability: Nomad team reported that an authentication bug resulted in the transmission of fraudulent messages to the Nomad BridgeRouter contract, causing the Replica contract to inadequately authenticate messages and allowing forged messages. As a result, contracts relying on Replica for message authentication suffered from security breaches.

Market Health Metrics API

Benford's Law

Volume distribution analysis

Time-of-Trade

Buy/Sell Ratio

VWAP

Attack Types

Entity Types

Target Entities

51% Attacks

Custodian Attacks

Flash Loan Attacks

Lockout Scams

Phishing Attacks

Reentrancy Attacks

Rug Pull Scam