On August 2nd, 2022, an attacker and copycats were able to exploit a bug in the Nomad bridge contract and withdraw over $190 million worth of cryptocurrency from the platform.
The Nomad Bridge is a decentralized protocol that enables users to transfer their crypto assets between different blockchains, including Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).
The vulnerability lied in the `process()` function of Replica.sol Contract which verifies if the transaction belongs to acceptable root. During a routine upgrade, Nomad team initialized the trusted root to `0x00`. This enabled thousands of addresses to copy & paste the attacker’s original call data and loot funds from Nomad’s account.
The bug lied on process() function of Replica.sol Contract
and `0x00` was considered acceptable root in the contract.
The 3 addresses highlighted in red in the visualization are likely the initial hacker. These addresses interact with each other, of which 0xb5c55f76f90cc528b2609109ca14d8d84593590e is the address that initiated the exploit, performing the first failed transfer with a burned fee of 215~ ETH ($352k~)
Nomad acknowledged this exploit and requested white hat hackers & ethical researchers who safeguarded ETH/ERC-20 tokens to send back all funds to an official recovery addresses.
On December 15, 2022, the company recovered an estimated $37 million of the stolen funds, representing around 20%. Following this last successful recovery, the company is hopeful that it may be able to recoup even more money in the future as its investigation continues.