The Nomad Bridge Exploit: A Few Clicks Away From Millions

The Nomad Bridge Exploit: A Few Clicks Away From Millions

This morning was really interesting. At one point, I was just a few clicks away from being able to 'steal'/'exploit' millions of dollars. But here's the catch, if you had done that you would be getting chased by the FBI and various three letter agencies and probably arrested. Here's the story of the Nomad Bridge Exploit and how it was a free for all with $200 million dollars exploitable by anyone.

The Exploit

The unusual movement of funds was first caught by the on-chain watchers. Here's one of the tweets I saw early this morning that caught my attention.

At first I though "wow yet another bridge hack" and went on to catch up on some stuff. Later, I saw the tweet again and noticed how there were a bunch of different addresses getting seemingly random amounts of money that were 6 to 7 fig each. This was pretty unusual as typically an exploiter or hacker would take all the funds from a protocol in a single transaction so that they could secure the bag and then use Tornado Cash to 'mix' the money.  

I then went on to the Nomad ERC 20 Bridge address on etherscan to find out what was going on. The transactions were looking pretty wild. It looked like there was some send 0.01 Bitcoin get 100 Bitcoins back scheme going on or something and a bunch of random address, some even funded by CEX accounts and some with ENS domains exploiting the bridge for 5, 6 or even 7 figs. This was crazy. I had never seen a decentralised exploit before with a bunch of random anons coming together to exploit hundreds of millions of dollars. This is like if a bank exploded and hundreds of millions of dollars worth of cash was just flying through the streets and everyone was taking some and running.

Obviously my first thought was what's going on and how are they able to exploit the contract and get 10,000x the money they deposited. As someone who is unable to code in solidity, I thought that there was definitely some really basic way to exploit because a real professional dev would have taken the $200m in one transaction and the addresses that were exploiting for 5 fig looked like your average defi degen with a bunch of shitcoin transactions in their transaction history. So I went on the nomad bridge site and saw that their UI was still correct for the amounts ($ 1 USDC on Ethereum = $1 USDC on MoonBeam at least on the UI). However, the contract bridged out 100 WBTC for 0.01 WBTC bridged out on MoonBeam. So yeah, the contract was giving out 10,000x the amount and anyone who knew how to use a defi application could exploit it. Here's a more technical thread explaining the situation.

So I was technically one click away from getting $200k in one transaction and a couple more minutes it could have been a million dollars. But 'code is law' has proven to not work in courts and exploiting a smart contract in an immutable blockchain isn't the best idea even with tornado cashed accounts. The feds always know or something.

Also, It's important to remember that you are  going to get caught especially if you stole a really small amount and are not a professional like the North Korean hacking group. After all, even the BitFinex hack couple got caught with insane security measures and access to billions.

Either way its a losing situation unless you're a professional whitehack, have connections and can find a way to get paid for exploiting and saving funds from the bad guys. Not sure if the stories of random noob DeFi participant, Noah, from Canada stealing 5k and getting arrested will be published publicly but it will be interesting to see what happens.

Also, the people who exploited ,especially on their CEX funded accounts, are going to have an interesting time ahead with law enforcement, forensic experts, national authorities the FBI and more. At least this is what happened when Harmony One got their bridge hacked for 100m a month ago.

One thing to note is that projects that have been hacked have offered whitehackers rewards or given the hacker a way out by asking them to send only 90% of the stolen funds and not pressing charges against the exploiter. But these types of offers are quite sus and smells like insiders exploiting the protocol themselves and trying to find a way out.

Overall, this was quite an interesting situation. I don't think there's been a hack like this in DeFi before or at least in the past two years. A free for all frenzy where all you had to do was send a transaction to 'steal'/'exploit' millions of dollars. Never a dull day in crypto.


Nomad announced a 10% whitehack bounty so because I made the decision not to exploit the protocol in those 8 minutes, missed out on anywhere from 20k to 6 fig of whitehack bounty. Still think my decision was the right move but maybe could have done whitehack stuff if I had a proper setup (stricter opsec setups on my wallet) to not so scared of getting caught and not being given time to explain myself as being a whitehack.

Sucks but that's how the game works.

Well on to the next one