Copycats were up to 88 percent of Nomad Bridge exploiters

By: Ikenna Odunze

Copycats were up to 88 percent of Nomad Bridge exploiters

August 11, 2022 11:36 AM

The code used by the original hackers was also used by copycats but modified the recipient addresses, token amount and target token.


Identified as copycats is  almost 90% of addresses involved in the $186 million Nomad Bridge hack in the previous week, getting away with up to $88 million worth of tokens on August 1, revealed in a new report.


A Coinbase blog on the 10th of August, authored by Heider Wilder, a senior associate of the special investigations team and Peter Kacherginsky, Coinbase's principal Blockchain threat intelligence researcher, both of them confirmed the suspicion of many during the bridge hack on August 1st- that upon the discovery of how to extract funds by the initial hackers, many more copycats took the same path.


Source: Coinbase


The method used by the copycats was a variation of the initial exploit, using a loophole in the smart contract of Nomad, making it possible for users to extract funds from the bridge that didn't belong to them, stated by the security researchers. 


Same code was used by the copycats but modified the recipient addresses, target token and token amount. 


When it comes to total funds extracted, the first two hackers happened to be the most successful. When the method became known to the copycats, it became a competition for them to extract as much funds as possible.


Also noted by the Coinbase analysts is that the initial hackers first aimed at the Bridge's wrapped-Bitcoin (wBTC), followed by wrapped-ETH (wETH) and USD Coin (USDC).


Source: Coinbase


As the Nomad Bridge had the wETH, wBTC and USDC present in the largest concentration, it became rational for the initial hackers to extract these tokens first.


White-hat efforts


Unexpectedly, the request of Nomad Bridge for stolen funds brought about a 17% return, as of August 9th, and the larger sum of these tokens are in the form of wBTC (14.0%), Tether USDT (15.5%) and USDC (30.2%).


Source: Coinbase


Owing to the fact that the initial hackers exploited wBTC and wETH, being that majority of the returned funds came in the form of USDT and USDC suggests that the most part of the funds recovered were from white-hat copycats. 


In the  meantime, about 49% of the exploited funds happened to have been transferred out from each of the recipient's addresses, as of August 9th.


Coinbase also stated that the addresses of the first three recipients were funded by Tornado Cash, which is an Ethereum-based protocol that makes it possible for users to transact anonymously. On Monday, the treasury of the U.S sanctioned all USDC and ETH addresses connected to the protocol.


Following the $540 million Ronin Bridge hack in March and $250 million Wormhole Bridge hack in February, is the Nomad Bridge hack. It has become the 4th largest DeFi hack ever and the 3rd biggest in 2022. These kind of Cross-chain bridges have been blamed to be too centralized, which makes it a primary site for hackers to exploit.