Bridge exploits continue to prove to be a top concern across DeFi and crypto at large, as bridges time and time again have proven to be a major point of vulnerability. Enter once again another prime example with the latest 9-figure exploit, this time on the multi-chain Nomad Bridge.
In the early hours following the exploit, we’re looking at an exploit in the range of $160-190M – let’s take a look at this and more from what we know thus far.
According to Defi Llama, the bridge closed off July with a TVL of right around $190M, and as August went underway, many users on crypto Twitter began to watch the bridge get exploited and essentially drained to 0. The bulk of that was in USDC, WETH, and WBTC. However, roughly a half dozen different tokens were drained, ranging anywhere from ten’s of thousands to nearly $100M worth.
It was first noted by Twitter user @spreekaway:
Seed investors in Nomad include the likes of Polygon, Coinbase Ventures, OpenSea and others, and the bridge took on a $22M round of fundraising just 4 months ago.
Ether (ETH) can be wrapped to be used to transfer across networks, through bridges, at a lower cost than ETH. | Source: ETH-USD on TradingView.com
Related Reading | TA: Near Protocol Struggles To Break Out Despite Relief Bounce
Another Bridge Bites The Dust
However the Nomad team looks to recover, it will be a long road to travel. Bridges continue to be a focal point of vulnerability in crypto, as 9-figure exploits continue to wreak havoc. Earlier this year, Wormhole suffered a loss over $300M in one of the biggest losses in DeFi history. Cross-chain activity should be a major point of emphasis for crypto security as many have touted it as “the future of crypto” – but also offers areas of vulnerabilities.
Unlike many of the vulnerabilities seen in crypto, however, this one was seemingly just a contract exploit utilized by a variety of addresses (some of which have said they plan to return the funds). In this case, a user manipulated code noted in the bridge’s audit, taking advantage of a vulnerable function to have every message on the bridge valid. Other users saw this taking place, and sought to see if they could do so themselves.
Perhaps enough funds will be returned for the bridge to continue forging ahead after the dust settles. At time of publishing, the bridge’s TVL sits just shy of $5,000 – a tiny amount of the near $200M locked pre-exploit, but still a small bounce back from the sub-$1,000 worth that was seen immediately following the exploit.
Related Reading | Ethereum Investors Clamor To Take Profits As Profitability Explodes