On Monday, the cross-chain token bridge Nomad was attacked and hackers managed to siphon $190 million from the protocol, draining a great majority of the funds. The Nomad cross-chain bridge attack was the third-biggest crypto heist of 2022, and the ninth largest of all time.
“The vulnerability was in the initialization process where the “committedRoot” is set as ZERO,” Certik wrote. “Therefore, the attackers were able to bypass the message verification process and drain the tokens from the bridge contract,” Certik added, noting:
The exploit occurred when a routine upgrade allowed verification messages to be bypassed on Nomad. Attackers abused this to copy/paste transactions and were able to drain the bridge of nearly all funds before it could be stopped.
“This type of issue would be difficult to discover under conventional auditing practices that assume all deployment configurations are correct, because this particular bug was introduced by mistakes in the deployment parameters,” Certik’s report on the Nomad situation concludes. “However, a broader auditing process and full-scope penetration test that includes validating deployment processes would potentially capture this bug,” the auditors added.
What do you think about the recent cross-chain exploit against the Nomad bridge? Let us know what you think about this subject in the comments section below.