Reportedly, the crypto community noticed some strange transactions on Nomad, a cross-bridge between Ethereum and Moonbeam.
Specifically, MetaMask developer @sniko_ shared a series of transactions that paid up to 350,000 USD but still failed. Later, this person discovered the attack was an attack on Nomad, mass withdrawing WBTC, WETH, USDC, and many other ERC-20 tokens in countless small transactions.
The sender of this tx is then withdrawing (calling process()) on Nomad bridge 👀
It is related? Are they trying to exploit Nomad? There's a chain of contracts on this $350k failed tx. Might update later if I find anything worthyhttps://t.co/g6n8pu6eit
cc: @nomadxyz_
— harry.eth 🦊💙 (whg.eth) (@sniko_) August 1, 2022
Not great to be exploited by 🍉🍉🍉.eth pic.twitter.com/Wrotdi2XNp
— foobar (@0xfoobar) August 1, 2022
According to user @1kbeetlejuice, in the next 2 hours, Nomad's smart contract was drained, decreasing from 176.6 million USD to almost zero.
User FatManTerra claimed that this attack was carried out by multiple accounts or even had a "foul" situation, where there were people who copied the first hacker's transaction and changed only each address. Withdraw money to extract money from Nomad. FatMan also joked that this is the first "decentralized" attack in the crypto industry, true to the nature of the cryptocurrency sector.
Messages popping up in public Discord servers of random people grabbing $3K-$20K from the Nomad bridge – all one had to do was copy the first hacker's transaction and change the address, then hit send through Etherscan. In true crypto fashion – the first decentralized robbery. https://t.co/jWV9AamBer
— FatMan (@FatManTerra) August 2, 2022
SlowMist tracks the cash flow to the three wallet addresses that have taken the most money from Nomad, with a total value of up to $90 million.
Security expert samczsun later discovered that Nomad's vulnerability stemmed from the project's permission to grant withdrawal permission to the default root message of 0x000… Someone discovered that and proceeded to withdraw. Others then discovered the vulnerability and simply copied the first hacker's transaction.
11/ This is why the hack was so chaotic – you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it
— samczsun (@samczsun) August 2, 2022
Nomad has announced the closure of its cross-chain bridge to investigate the cause and warned users to be on the lookout for impostor accounts that are calling for the voluntary return of money from looters.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
We're aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren't yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad's official channel: @nomadxyz_
— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022
Hackers returned $9 million to Nomad a day after the cross-chain bridge was exploited for $190.38 Million. The blockchain security company PeckShield says that 4.75% of the total loss has been returned so far, equating to around $9 million.
The protocol requested white hat hackers or ethical researchers to return funds in a tweet. Crypto custodian Anchorage Digital will handle and safeguard the returned assets.
Most funds sent back seem to have been stablecoins, with $3.78 million USDC and another 2 million USDT being reclaimed by multiple addresses.