Nomad: a flaw outlined by the audit firm is not related to a recent hack


An expert claims that the vulnerability that led to the massive Nomad heist has been known to the protocol's developers since June. However, Nomad said the statement isn't valid and the flaw highlighted by the audit firm two months ago isn't the same that caused havoc.

"We are actively working with a leading chain analysis/intelligence firm, TRM Labs, and law enforcement to trace the funds' flow and identify recipient wallets to coordinate the return of funds," Nomad said on Wednesday.

ADVERTISEMENT

Nomad, a cross-chain communication standard enabling "cheap and secure transfers of tokens and data between chains," was raided for more than $190 million in cryptocurrency. White hat hackers have taken the funds during the chaos to safeguard them from malicious actors.

"Dear white hat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens," Nomad tweeted.

According to BestBrokers' analyst Paul Hoffman, hackers took advantage of a wrongly-initialized merkle root used in cryptocurrencies to ensure that data blocks sent through a peer-to-peer network are whole and unaltered.

"Nomad's bridging Smart Contract in its current version was initialized with the 0x0 merkle root, effectively auto-proving any transaction message to be valid," he said.

Ironically, Hoffman added on Wednesday, the exploited vulnerability was highlighted by Quantstamp's audit in June.

"By the update under the recommendation, it is evident that the Nomad team has been made aware of the vulnerability and even responded to Quantstamp's suggestion with ‘We consider it to be effectively impossible to find the preimage of the empty leaf.’ The auditors' comment, reading ‘We believe the Nomad team has misunderstood the issue.’ aged extremely ‘well’ as this is exactly what took Nomad down just short of two months later," Hoffman said.

ADVERTISEMENT

However, this claim was immediately brought into question as some experts believe this is not the same vulnerability that was reported two months ago.

In a statement to Cybernews, Nomad spokesperson said that the audit firm highlighted a different issue and it is not related to the recent hack.

They stressed the commitment to “keeping its community updated as it learns more in the coming hours and days.”

“Nomad has partnered with Anchorage Digital, a nationally regulated custodian bank, to accept and safeguard retrievable funds. Nomad asks that any white hat hacker or ethical security researcher currently holding ETH or ERC-20 tokens from the token bridge attack please return them by sending to the following Anchorage wallet address: 0x94A84433101A10aEda762968f6995c574D1bF154 This is the only valid address for Nomad funds recovery - please be aware of fraud/imposters.”

According to the BestBrokers analyst team, the first four hack transactions occurred on August 1 at 21:32:31 UTC, draining the Smart Contract of 100 Bitcoins each.

"This continued until all 1028 BTC were siphoned off within less than an hour. The hackers then proceeded to divert all 22,880 Ethers, then moved on to the over $107M worth of stablecoins and finally started diverting the altcoins, supported by the project, until there was nothing left in the contract," Hoffman wrote.

The hack dragged crypto prices down, with some involved altcoins suffering as much as a 94% decline.