The most recent in a series of DeFi hacks happened less than 36 hours ago to the Nomad project. The ambitious dApp promised cross-chain interoperability with “increased safety“, giving developers the option to “securely build cross-chain applications (or xApps) and bridge assets between chains”. It was namely this feature that got exploited, letting hackers and allegedly random users on public Discord servers drain over $190 million worth of cryptocurrencies through the project’s bridging Smart Contract in what is dubbed as the “First Decentralized Robbery“.
Our Analyst Team at BestBrokers started looking into Blockchain data, related to the hack, in the first hours after the news broke. Our goal was to build the timeline of what happened and diagnose the repercussions. We identified the first 4 hack transactions occurring on 1 August at 21:32:31 UTC, draining the Smart Contract of 100 Bitcoins each. This continued until all 1028 BTC were siphoned off within less than an hour. The hackers then proceeded to divert all 22,880 Ethers, then moved on to the over $107M worth of stablecoins and finally started diverting the altcoins, supported by the project, until there was nothing left in the contract.
This event logically dragged crypto prices down but unlike the established cryptocurrencies (BTC and ETH) and stablecoins, some altcoins that were involved suffered as much as 94% decline. Our team got a deeper look into the most affected cryptocurrencies – CARD.STARTER (CARDS), Charli3 (C3), Covalent (CQT), IAGON (IAG), and GeroWallet (GERO):
Just a few days after the cross-chain messaging protocol, Nomad, announced the participants in their $22.4 million seed round of April 2022, again highlighting the importance of security, the company went from hero to zero – literally. On 2 August the company reported the latest DeFi hack which led to the company’s entire capital being drained. The interesting part is that the whole event could be witnessed live on Twitter, as crypto influencers were reporting as the hack went on.
The hackers took advantage of a wrongly-initialized merkle root, used in cryptocurrencies to ensure that data blocks sent through a peer-to-peer network are whole and unaltered. Nomad’s bridging Smart Contract in its current version was initialized with the 0x0 merkle root, effectively auto-proving any transaction message to be valid.
Was the writing on the wall?
In the first hours after the attack there was speculation by some crypto experts that the exploited vulnerability was highlighted in a security audit, done by Quantstamp almost 2 months prior to the hack. However this has been refuted and Quantstamp came with an official statement, that the bug was introduced AFTER the audit in question was done and Nomad DID NOT have prior knowledge of the bug.
The First Decentralized Robbery
An interesting aspect of this particular vulnerability is the fact that in order to exploit it, anyone could just copy the initial hacker’s transaction calldata (the data you pass to a Smart Contract) and just modify the destination wallet address to their own. That way it was just a matter of Copy-Pasting the original transaction for anyone to start draining Nomad’s Smart Contract. It is reported that at some point after the original hackers took out all BTC, ETH and part of the stablecoins the hack was touted on some public Discord servers. This is believed to be done by the hackers in order to cover their tracks and soon after random users started joining in on the loot, turning this into the First Decentralized Robbery.
This included some Whitehats that did so just in order to save part of the funds from getting into the wrong hands. They pledged they would return the funds later.
Accidently exploited Nomad bridge (for 17k), will return the funds asap
— fbslo (@fbsloXBT) August 1, 2022
All of the altcoins involved in the heist took serious damage. Despite the great losses, some of them saw strong recoveries with CQT price going from -57% to -26% compared to the pre-hack levels. On the other hand C3 (-93%) has a long way to recover as their prices recovered to -54% at some point but dropped again to -86% currently.
“When such significant drops occur, the way back proves to be way too hard for most of the affected assets. Although cryptocurrencies are more volatile and cannot be just written off, the most suffering coins from this hack will most probably have a hard time getting back to previous levels.”
The established Ether and Bitcoin suffered a decrease between 3% and 5% which can be considered as normal volatility and they have recovered. This proves that prices of newly released altcoins related to DeFi are way more vulnerable.
On the other hand, Ether proves to become more solid as time passes which is great news for investors who seek not only security but also usability of their crypto assets.
“While in the past hacks were targeting exchanges and were affecting mainly the Bitcoin price, nowadays’ attacks are aimed mostly at DeFi. This year’s DeFi hacks dragged down a lot of altcoins but not the Ether, which proves it is getting closer to Bitcoin in terms of trust.”