Security News > 2022 > August > How a crypto bridge bug led to a $200m 'decentralized crowd looting'

Cryptocurrency bridge service Nomad, which describes itself as "An optimistic interoperability protocol that enables secure cross-chain communication," has been drained of tokens notionally worth $190.7 million if exchanged for US dollars.

Nomad allows cryptocurrency holders to trade their tokens across different blockchains, the distributed public ledgers used to track crypto assets.

Prestwich is the founder and CTO at Nomad. According to Paradigm security researcher "Samczsun," Nomad was exploited as a result of a bug in what people - some without a hint of irony - call a "Smart contract."

Coincidentally, this bug appears to have been cited among a number of flaws identified in a June 6, 2022 security audit [PDF] of Nomad's code.

Nomad's response to this recommendation was to dismiss it, to which the auditor responded, "We believe the Nomad team has misunderstood the issue."

The insufficiently validated code appears to reside within the process() function in the Nomad ERC20 Bridge Contract, in a portion of the program that serves a similar purpose as the prove() function cited in the audit report.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/08/02/flash_mob_robs_nomad_crypto/