Web3 Daily

View Original

This hack let anyone & everyone steal crypto, completely anonymously.

Caite Opfer

Another crypto hack?

Surely by now every exploit possible has been covered.

But no, in software development, there are always new bugs; and always more people to take advantage of those bugs.

Here’s what went down on Monday:

The cross-chain token bridge, Nomad, was exploited with attackers draining the protocol of roughly $200M USD.

(That sentence made our head hurt).

Let’s break it down into plain English:

Nomad is ‘cross-chain token bridge’ which simply means the Nomad team has developed a way for people to send and receive crypto from one blockchain, to another.

Kinda like if you had USD and took it to a currency trader who gave you English Pounds in return (the currency trader would be the bridge).

The exploit (hack) happened after an update to one of Nomad’s smart contracts made it easy for users to fake transactions.

Before the update, every transaction had to be authenticated on the blockchain.

After the update, the authentication requirement was ‘0’, meaning transactions were automatically marked as authenticated.

Which meant users were able to simply look at any previously successful transactions on the Nomad bridge that had occurred, and point them to their own wallets, even though the money didn’t actually belong to them.

Who's to say if the transactions were legit or not?

(It's hard to know).

What made this attack unique is that, while we’ve heard about single entities taking down Terra or hacking into Axie Infinity’s Ronin Network, this hack was conducted by lots of people.

Anyone who knew about the exploit, knew how to point a transaction to their wallet (and wanted to), could do it.

As stated in the article: “It was a free for all.”

So what happens now?

An investigation is ongoing and the Nomad team are working to identify the accounts involved to trace and recover the funds.

Historically that hasn’t been easy, and with many accounts involved rather than just a few, it sounds like a tough ask.

For anyone who lost money on Monday - here’s hoping they come up with the goods.

READ MORE