Crypto firm that promised security loses $200 million in 'frenzied free-for-all' hack

pcgamer.com:

In what now seems like a weekly event, the latest big crypto hack has made off with nearly $200 million in value from Nomad, a so-called cross-chain token bridge. These bridges are designed to allow people to transfer crypto tokens between different blockchains and, without getting too far into the weeds, work by locking up tokens in one chain and re-issuing them in a 'wrapped' form on another: this process is called a smart contract.

Clearly not too smart, though, as Nomad has now acknowledged the hack and frenzied free-for-all. In a statement to Coindesk(opens in new tab) the company said: «An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained. We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds.»

So, what happened? Essentially Nomad pushed an update that made it easy for users to fake transactions and withdraw funds from the bridge that didn't belong to them. This was not an exploit that required elite skills to take advantage of and, when it was noticed, hackers descended en masse and stole almost everything being held by Nomad’s Ethereum Mainnet smart contract.

Security researcher Samczsun, who works for the crypto investment firm Paradigm, explains the exploit in the below tweet thread, unrolled here(opens in new tab).

2/ It all started when @officer_cia shared @spreekaway's tweet in the ETHSecurity Telegram channel. Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign pic.twitter.com/klHNfthVvjAugust 1, 2022

Essentially, the system had