A bad year for the security of cross-chain bridges continues as Nomad, a bridge for Ethereum and several other tokens operated by Evmos, has been hit by a crypto hack that drained about $190 million in its stored funds.
While the dollar amount is not a record-breaker for DeFi crypto hacks (in 2022 alone), this attack is particularly damning due to the ease with which it was executed; attackers discovered that they were able to simply swap out account numbers in a known working transaction, creating a “free for all” with numerous participants stealing funds from the network with no real specialized knowledge required.
Embarrassing security lapse another blows to reputation of DeFi cross-chain bridges
Rooted in Evmos’ Cosmos blockchain ecosystem, Nomad allows for swapping between quite a few types of tokens: Ethereum, Wrapped Ether, Wrapped Bitcoin, USD Coin, Dai, Saddle DAO and more. The crypto hack drained Nomad of its holdings of all of these different coin types. The $190 million stolen represented nearly everything the cross-chain bridges had on hand to facilitate transactions.
The Nomad Twitter account indicated on August 1 that the organization was aware of the breach, had contacted law enforcement and had initiated an investigation. It also issued an “incident update” later in the day indicating it was developing a technical plan of action, but with no specifics given as of yet.
Security researcher “samczsun” on Twitter explained the crypto hack within about two hours after it began, as it was apparently caused by a very basic security oversight. An update to the Replica smart contract used by the cross-chain bridges created a major flaw in the message validation process, allowing anyone to copy a known existing valid transaction string and swap in their own account number to essentially “run it back” and have the same amount of funds sent to their own account.
Needless to say, samczsun was far from the only person that picked up on this botched update. By the time he took to Twitter to document it within a few hours, people were already looting the cross-chain bridges for everything they could. It is still not clear how many people got in on it, but the only limiting factor to the crypto hack was the amount of funds Nomad had on hand to steal.
Though the total amount of the theft is not a record-setter, it is at least in the neighborhood of the two big crypto hacks that have hit cross-chain bridges this year: the $600 million stolen from Axie Infinity’s Ronin bridge and the $300 million taken from the Solana blockchain’s Wormhole bridge. However, it would have likely set records had there simply been more money in there to steal. It is the most inept of these breaches from a technical perspective; Wormhole at least involved some hacking for a single attacker to find an exploitable element in the smart contract code, and the Ronin incident appears to have involved an elaborate job offer scam conducted by North Korea’s advanced state-backed hackers.
As Erich Kron (Security Awareness Advocate at KnowBe4) observes, the crypto market in general is still in a “Wild West” state, but no aspect of it more so than the DeFi platforms: “While we have had thousands of years to learn how to secure physical assets and money, the practices of securing digital currency, especially cryptocurrency, are still in their infancy. Unlike physical assets, attacks against digital goods and money can be done from anywhere in the world, and unlike when a person is arrested for attempting to steal physical goods, attempts to steal digital items are accepted as normal, and rarely is an arrest made. A person can attempt to hack an account using thousands of passwords a day, and never have to be concerned about a law enforcement action. The non-reversible nature of cryptocurrency has made it a favorite for cybercriminals. Unlike even many digital transactions between banks, which can be reversed, once a cryptocurrency transaction happens, it is permanent. Even more frustrating is the fact that we can see the accounts the currency resides in but can do very little about it unless that account is verified and connected directly to a person.”
Crypto hack raises yet more questions about DeFi security standards
This incident is particularly problematic as Nomad’s branding has been all about enhanced DeFi security, specifically in response to this recent string of major compromises of cross-chain bridges. A recent funding round that netted it $22.4 million for this vision included OpenSea and Coinbase Ventures as major backers.
Nomad has still said little about the attack, but independent security experts estimate about 40 parties joined in on the crypto hack while the window was open. Most of the stolen funds have been moved to mixer services at this point, with the goal of anonymizing them and throwing off pursuit. But a recent tweet from Nomad indicates that some of the funds were secured by “white hat hackers” who are holding them for recovery. Nomad has not yet indicated how much these parties are holding or what the plan or timeframe is for recovery. About $9 million in various stablecoins has been returned from a variety of addresses at this point, but it is unclear if more is coming.
Nomad is among the biggest individual hits on DeFi platforms that have made news, but thus far in 2022 cross-chain bridges have been hit for a total of $1.5 billion in a number of smaller attacks that are largely underreported outside of niche cybersecurity and crypto circles. DeFi is having a terrible year for security and public relations, and the answer to the problem is not yet clear. DeFi platforms lost $12 billion in 2021, but the vast majority was to fraud and insider theft; the record for the amount stolen due to hacking and security lapses is on pace to be shattered this year. Nick Percoco, Chief Security Officer of Kraken, notes that cross-chain bridges need to make serious improvements very quickly or risk tanking investor confidence in the entire enterprise: “This may be the latest DeFi security breach, but the manner of it ultimately erodes trust in the broader crypto ecosystem. It also reinforces the importance of everyone having a security-first mindset and remaining vigilant when navigating the crypto ecosystem. We anticipate cybersecurity teams to build on the learnings on this instance and introduce more robust security protocols moving forward.”