Altcoins Affected By Nomad Hack Collapsed As Much As 94%

Published on

The most recent in a series of DeFi hacks happened less than 36 hours ago to the Nomad project. The ambitious dApp promised cross-chain interoperability with “increased safety“, giving developers the option to “securely build cross-chain applications (or xApps) and bridge assets between chains”. It was namely this feature that got exploited, letting hackers and allegedly random users on public Discord servers drain over $190 million worth of cryptocurrencies through the project’s bridging Smart Contract in what is dubbed as the “First Decentralized Robbery“.

Get The Full Series in PDF

Get the entire 10-part series on Charlie Munger in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues.

Q2 2022 hedge fund letters, conferences and more

 

Our Analyst Team at BestBrokers started looking into Blockchain data, related to the hack, in the first hours after the news broke. Our goal was to build the timeline of what happened and diagnose the repercussions. We identified the first 4 hack transactions occurring on 1 August at 21:32:31 UTC, draining the Smart Contract of 100 Bitcoins each. This continued until all 1028 BTC were siphoned off within less than an hour. The hackers then proceeded to divert all 22,880 Ethers, then moved on to the over $107M worth of stablecoins and finally started diverting the altcoins, supported by the project, until there was nothing left in the contract.

This event logically dragged crypto prices down but unlike the established cryptocurrencies (BTC and ETH) and stablecoins, some altcoins that were involved suffered as much as 94% decline. Our team got a deeper look into the most affected cryptocurrencies – CARD.STARTER (CARDS), Charli3 (C3), Covalent (CQT), IAGON (IAG), and GeroWallet (GERO):

Altcoins

What Happened?

Just a few days after the cross-chain messaging protocol, Nomad, announced the participants in their $22.4 million seed round of April 2022, again highlighting the importance of security, the company went from hero to zero – literally. On 2 August the company reported the latest DeFi hack which led to the company’s entire capital being drained. The interesting part is that the whole event could be witnessed live on Twitter, as crypto influencers were reporting as the hack went on.

The hackers took advantage of a wrongly-initialized merkle root, used in cryptocurrencies to ensure that data blocks sent through a peer-to-peer network are whole and unaltered. Nomad’s bridging Smart Contract in its current version was initialized with the 0x0 merkle root, effectively auto-proving any transaction message to be valid.

The Writing Was On The Wall?

The ironic part is that allegedly a similar vulnerability to the one that just got exploited was highlighted in a Security Audit Report done by Quantstamp on 6/6/2022. It can be found under “QSP-19 Proving With An Empty Leaf” on page 7 of the still publicly available report and is deemed as “Low Risk”. By the update under the recommendation it is evident that the Nomad team have been made aware of the vulnerability and even responded to Quantstamp’s suggestion with “We consider it to be effectively impossible to find the preimage of the empty leaf”. The auditors’ comment is reading “We believe the Nomad team has misunderstood the issue.” The issue in the audit highlighted the possibility for some invalid transactions to be validated unrightfully. What happened in the hack was that due to a wrongly-set merkle root (the number used to “prove” valid transactions) in Nomad’s current Smart Contract ALL transactions were in essence auto-validated.

The First Decentralized Robbery

An interesting aspect of this particular vulnerability is the fact that in order to exploit it, anyone could just copy the initial hacker’s transaction calldata (the data you pass to a Smart Contract) and just modify the destination wallet address to their own. That way it was just a matter of Copy-Pasting the original transaction for anyone to start draining Nomad’s Smart Contract. It is reported that at some point after the original hackers took out all BTC, ETH and part of the stablecoins the hack was touted on some public Discord servers. This is believed to be done by the hackers in order to cover their tracks and soon after random users started joining in on the loot, turning this into the First Decentralized Robbery.

This included some Whitehats that did so just in order to save part of the funds from getting into the wrong hands. They pledged they would return the funds later.

All of the altcoins involved in the heist took serious damage. Despite the great losses, some of them saw strong recoveries with CQT price going from -57% to -26% compared to the pre-hack levels. On the other hand C3 (-93%) has a long way to recover as their prices recovered to -54% at some point but dropped again to -86% currently.“When such significant drops occur, the way back proves to be way too hard for most of the affected assets. Although cryptocurrencies are more volatile and cannot be just written off, the most suffering coins from this hack will most probably have a hard time getting back to previous levels.” – comments Alan Goldberg, analyst at BestBrokers.

The established Ether and Bitcoin suffered a decrease between 3% and 5% which can be considered as normal volatility and they have recovered. This proves that prices of newly released altcoins related to DeFi are way more vulnerable.

On the other hand, Ether proves to become more solid as time passes which is great news for investors who seek not only security but also usability of their crypto assets.

While in the past hacks were targeting exchanges and were affecting mainly the Bitcoin price, nowadays’ attacks are aimed mostly at DeFi. This year’s DeFi hacks dragged down a lot of altcoins but not the Ether, which proves it is getting closer to Bitcoin in terms of trust.” - commented Alan Goldberg, analyst at BestBrokers.