Nomad, a cryptocurrency bridge that lets users swap tokens between blockchains, is the latest to be hit after a frenzied attack on Monday, which left almost $200 million of its funds drained.
The exploit was made possible by a misconfiguration of the project’s main smart contract that allowed anyone with a basic understanding of the code to authorize withdrawals to themselves.
Over 300 wallets participated in draining the bridge.
“This is why the hack was so chaotic,” samczsun wrote. “[Y]ou didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
A further post-mortem from blockchain security auditing firm CertiK noted that this dynamic created its own momentum, where people who saw funds being stolen using the above method were able to substitute their own addresses to replicate the attack. This led to what one Twitter user described as “the first decentralized crowd-looting of a 9-figure bridge in history.”
The issue appeared to be due to an upgrade performed by Nomad that changed how messages were checked to be proven.
Around $22 million has been returned so far.
Developers behind the Solana blockchain are saying the closed-source Slope wallet may be responsible for an ongoing exploit that has resulted in millions of dollars’ worth of crypto tokens being stolen from more than 9,000 hot wallets.
The exploit that has caused at least $6 million in various tokens to be stolen from users of the Slope and Slope-tied Phantom wallets.
“This does not appear to be a bug with Solana core code, but in software used by several software wallets popular among users of the network,” - Solana
The stolen funds were drained from unsuspecting hot wallets, which are wallets whose keys are stored online as opposed to on a hardware device.
Slope’s mobile app sends off mnemonics via TLS to their centralized Sentry server.
These mnemonics are then stored in plaintext, meaning anybody with access to Sentry could access user private keys.
According to OtterSec: Over 5,300 private keys which were not a part of the exploit were found in the Sentry instance. 2,358 of these addresses have tokens in them. If you used Slope, PLEASE MOVE YOUR FUNDS.