The cross-chain bridge was drained of its assets in less than three hours.
Mere hours after the Nomad token bridge published an Ethereum wallet address last week for the return of funds following a $190 million hack, whitehat hackers have since returned approximately $32.6 million worth of funds. The vast majority of funds consisted of stablecoins USD Coin (USDC), Tether (USDT) and Frax, along with altcoins.
According to research published by Paul Hoffman of BestBrokers, the vulnerability of the Nomad protocol was highlighted in Nomad's recent audit by Quantstamp on June 6 and was deemed "Low Risk." As soon as the exploit was discovered, members of the public joined the attack by copy-pasting the initial hack transaction, which was akin to a "decentralized robbery." More than $190 million worth of cryptocurrencies were drained from Nomad in less than three hours.
The attack came just four months after the project raised $22.4 million in a seed round in April. As told by Hoffman, the attack took advantage of a wrongly initialized Merkle root, which is used in cryptocurrencies to ensure that data blocks sent through a peer-to-peer network are whole and unaltered. A programming error effectively auto-proved any transaction message to be valid.
Related: Nomad reportedly ignored security vulnerability that led to $190M exploit
Not all participants of the heist were capitalizing on the opportunity, though. Almost immediately after the hack began, whitehat hackers copied the same transaction hash as the original hacker to withdraw funds for their safe return. Conversely, one hacker allegedly used their Ethereum Domain Name to launder the stolen funds, leading to the possibility of cross-verification with Know-Your-Customer information also utilizing the domain.
Nomad Bridge Funds Recovery Process
— Nomad (⤭⛓) (@nomadxyz_) August 3, 2022
Dear white hat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens,
Please send the funds to the following wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154 pic.twitter.com/UF623JSZ8u