Nearly 90% of the addresses that took part in Nomad Bridge’s $186 million hack last week were identified as “copycats” and made off with $88 million worth tokens on August 1, according to a new report.
An Aug. 10 Coinbase blog was written by Peter Kacherginsky (Coinbase’s principal threat intelligence researcher on blockchain) and Heidi Wilder (a senior associate of special investigations team). The pair confirmed what many suspected during the Aug. 1 bridge hack — that hundreds of “copycats”, once the initial hackers had figured out how they could extract funds, joined the party.
Security researchers claim that the “copycat” exploit was a variant of the original exploit. It used a loophole within Nomad’s smart contracts, allowing users access to funds from bridges that weren’t theirs.
The code was then copied by the copycats, but the token amount, target token and recipient addresses were modified.
Although the hackers who were first to exploit the hacker technique were the most successful in terms of the total amount of funds they extracted, once it was made public to others, everyone became involved in the race to get as much money as possible.
Coinbase analysts noted that the Bridge’s wrapped Bitcoin (wBTC) was the first target, followed by USD Coins (USDC), and wrapped-ETH(wETH).
It made sense that the original hackers would first extract the wBTC and USDC tokens, as they were found in the highest concentrations at the Nomad Bridge.
Surprisingly Nomad Bridge’s request to steal funds resulted in a 17% return (as at Aug. 9, with most tokens being USDC (30.2%), USDT (15.5%), or wBTC (14.0%).
The fact that most of the money returned was in USDC and USDT indicates that white-hat “copycats” were responsible for the majority of the funds.
As of August 9, approximately 49% (or 49%) of the exploited money had been transferred from each recipient’s address to another.
Similar: Chainalysis: 2Billion in crypto stolen this year from cross-chain bridges: Chainalysis
Coinbase also pointed out that the first three addresses were funded from Tornado Cash, an Ethereum protocol that allows anonymous transactions. All USDC and ETH addresses that were linked to the protocol were sanctioned by the U.S Treasury on Monday.
After the hacks of Wormhole Bridge and Ronin Bridge, which cost $250 million each, and $540 million in March, the Nomad Bridge hack is now the fourth-largest DeFi hack. These cross-chain bridges have been accused being too centralized, making them an easy target for attackers.