Another day, another crash, another hack

I stumbled across a tweet about Nomad, a cross-chain bridge, that had just had almost $200 million of crypto assets hacked:

The cross-chain token bridge Nomad was exploited, with attackers draining the protocol of virtually all of its funds. The total value of cryptocurrency lost to the attack totalled near $200 million. Nomad, like other cross-chain bridges, allows users to send and receive tokens between different blockchains. Monday’s attack is the latest in a string of highly-publicized incidents which have drawn the security of cross-chain bridges into question.

Like many, you scratch your head wondering what they are talking about.

Let’s start with the basics: Nomad describe themselves as “a cross-chain communication standard that enables cheap and secure transfers of tokens and data between chains”.

The key to this is that a cross-chain bridge allows interoperability between different blockchains and blockchain tokens. It is like an FX service but, in this case, it allows the exchange of information, cryptocurrency or NFTs from one blockchain network to another. It enables the flow of data and tokens across what would otherwise be siloed sets of data on different blockchains.

Cool.

In particular, a key characteristic of a cross-chain bridge is that it enables users to exchange one cryptocurrency for another without having to change it into fiat currencies first. For example, bitcoin and Ethereum are the two largest cryptocurrency networks and have vastly different rules and protocols. Through a blockchain bridge, bitcoin users can transfer their coins to Ethereum and do with them what they otherwise could not do on the bitcoin blockchain. That can include purchasing various Ethereum tokens or making low-fee payments.

So far, so good.

I could now take you down the rabbit hole of Web3 and Layer2 operations, but let’s not go there. It would take too long. Google it.

The thing is that this just reinforces the Wild West of Crypto, following the issues that Binance have with the SEC and the collapse of Celsius, a major crypto exchange.

The thing is, when I delved deeper into the tweet, it turns out that Nomad appeared to have done something really, really stupid. According to the thread from samczsun, the platform had messed up a routine upgrade, and set the exchange of token contracts to a trusted root file identifier that started with 0x00. This meant that anyone could send a request to exchange tokens with an identifier starting with 0x00 and it would be accepted.

No wonder I’m nervous of cryptocurrencies. Are you?

I guess it always comes back to my favourite quote inspired by John Oliver:

Cryptocurrencies combine everything you don’t understand about money with everything you don’t understand about computers

Caveat emptor.

Postnote: Millions drained from Solana today