The crypto world was recently rocked with the news of a major exploit that took place on the Nomad Bridge. This hack saw the platform lose over $190 million USDT equivalent of funds in a short amount of time. While most attacks are perpetrated by a single person or entity, this was different because it involved many independent individuals. Everyone was able to replicate the exploit to trigger Nomad’s protocol and distribute assets to a wallet of their choice.

It is always unfortunate when hacks, attacks, and exploits take place in the crypto space because they can discourage new investors from entering DeFi. However, the only way to improve DeFi in the future and ensure that hacks such as these do not reoccur, is by using these situations as a learning opportunity.

Bridges have become a popular target for hackers. With the recent exploits of the Harmony bridge, Ronin bridge, and now Nomad, over $1 Billion worth of assets have been stolen in 2022 alone. Since a large amount of assets are held in a single place in bridge contracts, bad actors are able to concentrate their efforts narrowly.

Bridges allow for interoperability between blockchains, users can move their assets to a new blockchain to make use of different features without being forced to sell. Since bridges go outside the scope of the trustless public ledger offered by blockchains, third party risk is introduced.

Nomad is a multichain bridging protocol that allows users to move assets between Ethereum, Avalanche, Evmos, Milkomeda C1, and Moonbeam. They are able to reconcile transactions between these chains in about 45-60 minutes. Nomad announced in April that they raised a $22 million funding round from investors including Coinbase Ventures, Crypto.com Capital, and OpenSea.

This hack involved users discovering that they were able to send 0.01 WBTC to the bridge and receive 100 WBTC in return. The exploit took place because transactions accepted the zero root as an approved validator. This means that anyone could tell the protocol to force through a transaction and it would automatically be accepted. Normally, the bridge should work with users sending an amount to the bridge and receiving a similar amount from the bridge.

After the initial exploit was discovered, anyone was able to replicate it by copying and pasting the original transaction. Individuals just needed to change the destination address to a wallet they control.

Probably the most perplexing aspect of this whole saga is the fact that the vulnerability was brought up and acknowledged in the Nomad audit report. Simply getting audited is not enough for the comprehensive security measures of a cross-chain bridge. An audit is only useful if the project acts on the findings to improve the protocol. Security cannot be an afterthought.

So far, Nomad has recovered over $30 million worth of assets. They also announced a 10% bounty to everyone who removed assets from the bridge. Anyone who returns at least 90% of what they removed will be considered a “white hat hacker”, a term used to describe ethical hackers who point out vulnerabilities.

As the crypto space continues to grow, participants need to trust that their funds are secured. Individuals should always assess all the potential risks when committing assets to a DeFi protocol. Likewise, protocols must understand their responsibility in securing its user’s assets. The use of white hat hackers can help projects locate and patch vulnerabilities to better protect users.