Nomad cross-chain protocol lost almost all funds in exploit

What’s new? Experts at blockchain security company SlowMist have reported an attack on the Nomad cross-chain protocol. Analysts were able to track the movement of stolen funds using the MistTrack platform, and they estimate that the total damage from the incident exceeded $90 million. In addition, Nomad representatives told Cointelegraph that some of the funds were withdrawn by white hackers in order to protect them from theft. According to DefiLlama, almost all of the cryptocurrencies worth over $190,3 million have been withdrawn from the bridge, with the total value locked (TVL) being $10 937.

🚨SlowMist Security Alert🚨@nomadxyz_ , a cross chain protocol was recently hacked causing majority of their funds to be stolen.We used @MistTrack_io and traced ~90M to the following 3 addresses here. Follow us as we continue our investigation into this exploit. pic.twitter.com/HSV5SPU33J— SlowMist (@SlowMist_Team) August 2, 2022

What else is known about the attack? The attackers managed to withdraw the stolen funds to three Ethereum addresses. Most of the assets are in wrapped bitcoin (WBTC) and USDC stablecoins. A researcher at crypto investment firm Paradigm, nicknamed samczsun, believes that a recent update to one of Nomad’s smart contracts made it easier to fake transactions, allowing users to withdraw funds from the bridge that do not actually belong to them.

3/ My first thought was that there was some misconfiguration for the token's decimals. After all, it seemed as though the bridge was running a "send 0.01 WBTC, get 100 WBTC back" promotion pic.twitter.com/H9IOJRYB0G— samczsun (@samczsun) August 1, 2022

At the moment, the Nomad team is investigating to identify the vulnerability. Developers noted that scammers have begun posing as Nomad representatives and providing fake addresses to raise funds. The team noted that they have not yet provided an asset recovery plan, and all news will appear on their official account.

We’re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds. We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel: @nomadxyz_— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022

On July 23, Audius, a decentralized music service, suffered a hack that resulted in hackers withdrawing $6 million in cryptocurrency. According to cybersecurity company CertiK, the attackers changed certain configurations of a smart contract used by Audius’ governance system.