In an update to its followers on Tuesday evening Asia time, cross-chain bridge Nomad said it is working to identify the attacker and recover the funds after an exploit drained nearly US$200 million on Monday.
See related article: Nirvana’s ANA token down more than 80% after US$3.5 mln hack
- “We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics,” the company said on its verified Twitter handle.
- Cross-chain bridges, which allow users to trade tokens between different blockchains, work by reissuing tokens deposited on one chain with “wrapped” form of the tokens on another chain.
- The US$200 million attack took place when a routine upgrade on one of Nomad’s smart contracts allowed attackers to spoof transactions on the cross-chain bridge, according to Twitter user and researcher at Paradigm, @samczsun.
- The Twitter user explained that unlike previous attacks on cross-chain bridges, there could be multiple accounts that perpetrated the exploit on Nomad.
- “This case is one of the most highly damaging hackings this year,” Jasper Lee, Audit Tech Lead at smart contract auditing firm Sooho.io told Forkast. “The hacker has bypassed both the verification of transaction user requests and the processing of the trusted Merkle with 0x00 during routine storage updates,” he said. “The hacker bypassed the verification and sent 0.01 wBTC to take 100 wBTC.”
- The attack on Nomad comes after a series of hacking incidents on cross-chain bridges such as Harmony’s Horizon bridge in June and Sky Mavis’ Ronin bridge in March, which cast a cloud on the security of cross-chain bridges.
See related article: US Treasury says prioritize sanctioning North Korea for crypto hacking