Nomad bridge has been drained of all funds after a recent bridge exploit caused by a vulnerability in the bridge contract that allowed it to accept arbitrary root hashes. This allowed several entities to withdraw large amounts of assets from the bridge unchecked, as confirmed by Evmos. Currently, Nomad is paused, so users cannot withdraw their ERC20 wrapped assets from Evmos back to Ethereum.

This exploit was made possible because, during a recent routine upgrade, the Nomad team initialized the trusted root to be 0x00. This unfortunately had a side-effect of auto-proving every message. Therefore hackers didn’t need to know about Solidity or Merkle Trees or anything like that. All they had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it. Twitter user @samczun explains the full details of the hack in this thread

line 185

The attack also appeared to initially affect moonbeam and soon after the hack, Moonbeam announced it has entered maintenance mode to investigate the issue but has since resumed full functionality as it became evident that the security threat was not related to the moonbeam codebase but the Nomad bridges to moonbeam. 

About Nomad 

Nomad is an optimistic interoperability protocol that enables secure cross-chain communication that allows for a variety of cross-chain transations

Using Nomad:

Users can bridge tokens between chains

Asset issuers can deploy tokens across chains

DAOs can facilitate the execution of cross-chain governance proposals

Developers can build native cross-chain applications (xApps)

Learn More

Docs

Twitter 

Discord

Share.

Comments are closed.