Lack of validation of the input of transaction
Days in Operation:
Nomad project, a cross-chain optimistic interoperability protocol that enables secure cross-chain communication. By leveraging an optimistic mechanism, Nomad reduces the trust assumptions relative to externally verified systems (eg. multisig, PoS, and oracle-based designs). While these systems require an honest majority (k-of-n) to function safely, Nomad only requires a single honest watcher (1-of-n).
- Users can bridge tokens between chains
- Asset issuers can deploy tokens across chains
- DAOs can facilitate the execution of cross-chain governance proposals
- Developers can build native cross-chain applications (xApps)
The goal of Nomad is to provide the connective tissue to enable users and developers to interact securely in a multi-chain world.
Nomad reported an incident involving the Nomad token bridge.
Within approximately two hours or so, $150M was taken according to samczsun. Apparently, the Moonbeam network bridged out 0.01 WBTC (https://moonscan.io/tx/0xcca9299c739a1b538150af007a34aba516b6dade1965e80198be021e3166fe4c) and Ethereum allows same transaction to bridge in 100 WBTC (https://etherscan.io/tx/0xa5fe9d044e4f3e5aa5bc4c0709333cd2190cba0f4e7f16bcf73f49f83e4a5460). Several millions have already been moved into Tornado.Cash.
In addition, it was noted that the messages were being processed without being verified for 0x0 case, allowing transactions to be accepted proof when that may not be the case. Possibly multiple exploiters were involved.
As of 8/9/22,32M has been recoved at https://etherscan.io/address/0x94A84433101A10aEda762968f6995c574D1bF154
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.