In the early morning of August 2, Beijing time,Nomad Bridge was attacked, resulting in losses worth approximately $190 million. Its replica contract is fatally flawed, and a regular upgrade marks the zero hash as a valid root, which has the effect of allowing information to be spoofed on Nomad. Attackers took advantage of this to copy and paste transactions, and in just one night, the assets on the Nomad cross-chain bridge were quickly depleted.

Security agency PeckShield found that the hackers of the attack had prior convictions. One of the addresses with the suffix "ab49" was once the hacker of the theft of Rari Capital, and made a profit of about 3 million US dollars in this Nomad attack. In this stolen incident, a large number of addresses of ordinary users participated, and its participants were far more than previous similar incidents, and there are a large number of addresses that can be associated with KYC addresses.

As Terra researcher FatMan puts it, "Anyone can steal $3k to $20k off the Nomad bridge: all one has to do is copy the first hacker's transaction and change the address, then hit send via Etherscan. is the first decentralized heist to happen in a truly encrypted way."

secondary title

To steal or give back, that is the question

Due to the exposure of Web2's identity or the sense of justice for maintaining Web3 security, some users have spontaneously refunded. "🍉🍉🍉.eth", one of the earliest addresses to participate in this return campaign, said bluntly on Twitter, "FBI, please calm down. I did not intend to steal this money." He returned up to 4 million US dollars obtained this time asset.

But even if users take the initiative to return, the risks are still diverse.

On the day of the theft, multiple addresses were reported asking the attacker to return the stolen funds, but these addresses were all falsified by Nomad officials afterwards. On the morning of August 2, Nomad officially stated, “We are aware of fraudulent funds fraudulently provided by impersonating and providing addresses. We have not yet provided instructions for returning stolen cross-chain funds. Please ignore all channels except Nomad’s official channels. communication."

Fortunately, the official return address was announced shortly after.

On August 3, Nomad announced the Nomad Bridge fund return process on Twitter, calling on white hat hackers and ethical security researchers to send funds (ETH / ERC-20 tokens) to the official Ethereum wallet address. It is reported that Nomad is working with blockchain analysis company TRM Labs and law enforcement agencies to track the flow of funds and identify recipient wallets to coordinate the return of stolen funds.

According to the OKLink multi-chain browser of OKLink, as of the publication of this article, assets worth about US$16.5 million have been returned. Although this data is far lower than the stolen assets, it is still a good start.

Some people returned it, while others happily accepted the "ill-gotten gains".

PieDun monitoring shows that in the Nomad attack, about 41 addresses made a profit of about 152 million US dollars (accounting for 80%), including about 7 MEV robots (about 7.1 million US dollars), RariCapital hackers (about 3.4 million US dollars) and 6 1 white hat hacker (approximately $8.2 million), about 10% of ENS domain addresses made a profit of $6.1 million. After exploiting the loopholes to make profits, the number of addresses that directly traded reached 739, accounting for nearly 60%.

secondary title

Schrödinger's cross-chain bridge security

After the encryption world enters the multi-chain era, cross-chain bridges have become an indispensable infrastructure. However, in the current market, the "single-chain-single-chain" official bridge is difficult to meet the needs of users, and multi-chain cross-chain bridges have become rigid needs. A large number of third-party cross-chain protocols have become the mainstream choice for users to cross-chain with the support of a wider range of public chains.

A large number of cross-chain bridge protocols have obtained a large amount of TVL by virtue of the convenience of the product, but at the same time, the high lockup has also become the coveted target of hackers. Last summer, Poly Network (O3 Swap) had the largest hacking attack in the history of the encryption world, and about $610 million in assets were stolen.

At the beginning of this year, Vitalik Buterin also issued a warning that there are great security problems in cross-chain. Cross-chain options are not ideal as they increase security risks during asset transfers. This trade-off for security comes as an asset's attack vector increases over a wider network surface area as it moves across more and more chains and dApps with different security principles.

The Nomad incident this time is even more absurd. The hackers did not use any "smart" means to launch the attack, but just took advantage of a loophole that the official missed, and this "attack" can be replicated by everyone.

For ordinary users, the security of cross-chain bridges is always "Schrödinger's": when a cross-chain bridge is not stolen, we don't know whether it is safe, only when the cross-chain bridge is stolen, we know it not safe.

In the current various emerging public chains, a safe and efficient cross-chain bridge design is still a technical challenge to be solved in the encryption world. Perhaps as the industry develops, we can see better solutions come up.