August 2022 did not start well for the crypto firm Nomad. As the series of hacks continue in the DeFi space, a new case of breach happened in the Nomad bridge. Considered the worst hack to date, the attackers drained the bridge immediately once they managed to activate the exploit.
However, unlike most attacks, the Nomad bridge hack did not use a complex heist.
It happened in the first week of August, when the illicit transaction happened at 9:32 am, UTC.
Nomad saw removal of 100 Wrapped Bitcoins (WBTC) – roughly around $2.3 million. Soon after, the attack continued until the community reported the breach.
Another Hack but a Rare Kind
The hack possessed hundreds of addresses that yielded coins from the bridge. The attackers then deleted all the tokens in a rather uncommon fashion; taking out equal-valued tokens through 200 transactions. It equated to an estimate of $202,440.73 per transfer.
A researcher from crypto firm Paradigm named Samczsun tweeted updates about the smart contracts on Nomad made during the hacking event.
The smart contracts were tainted with fake transactions, forcing users to take out money from the bridge that was not theirs.
This naturally caused panic in the community although a person claiming to be a white hacker said he will return the funds to all affected users. He said he has not swapped assets even if it is possible for USDC transfers to freeze. He only waits for the official reply from the Nomad team.
Possible Cause of Attack
The multiple hacks resulted in an unofficial $190 million loss, making it one of the worst and most chaotic DeFi hacks since the Axie Infinity heist. The number was based on the wrapped assets lost such as wETH, wBTC, and USDC. Security analysts on social media picked up the trail and announced the breach on Twitter during the time of the hack (August 1, 2022).
Samczsun said that hackers exploited the Replica contract system – a mechanic exclusive in Nomad wherein users can do small deposits to the bridge and receive money back.
However, the hack compromised this and allowed larger money withdrawals, giving users an amount that can make their jaws drop. Had the security applied better Solidity defense, it would have been averted. However, DeFi exploiters use this system and copy-pasted the exploit around the bridge.