Cross-Chain Bridge Nomad Exploited $190 Million

The cross-chain bridge Nomad was attacked and hackers managed to siphon $190 million from the protocol draining a great majority of the funds.

Cross-Chain Bridge Nomad Exploited $190 Million

The Nomad cross-chain bridge attack was the third biggest crypto heist in 2022 as well as the ninth largest of all time. 

Cross-Chain bridges in the world of DeFi after being audited on August 1, 2022, the cross-chain bridge Nomed suffered an attack that saw the bridge lose $190 million in crypto funds. 

CertiK is the leading security-focused ranking platform to analyze and monitor blockchain protocols and DeFi projects. Certik, launch an incident report describing what happened with the Cross-Chain bridge. 

The vulnerability was in the initialization process where the committed room is set as ZERO, Certik wrote the attackers were able to bypass the message verification process and drain the tokens from the bridge Smart contract. 

Certik expressed: 

The exploit occurred when a routine upgrade allowed verification messages to be bypassed on Nomad. Attackers abused this to copy/paste transactions and were able to drain the bridge of nearly all funds before it could be stopped.

The Nomad bridge used by non-Avalanche chains was hacked today, Gun Sirer wrote Nomad was the official bridge for EVMOS, Moonbeam (Polkadot EVM), and Milkomeda the Avalanche Bridge is unaffected. 

Furthermore, Certik said this particular bug, would be difficult to discover under Conventional Auditing practices. 

This type of issue would be difficult to discover under conventional auditing practices that assume all deployment configurational auditing practices that assume all deployment configurations are correct, because this particular bug was introduced by mistakes in the deployment parameters, Certik report on the Nomad situation concludes a broader auditing process and full scope penetration test that includes validating deployment processes would potentially capture this bug. 

Related : Ongoing Solana-based wallet hack seeing millions drained