According to a new analysis, nearly 90% of the addresses involved in the $186 million Nomad Bridge hack have been identified as “copycats,” who stole $88 million worth of tokens on Aug. 1.
Security experts claim that the “copycat” technique was a version of the first exploit, which used a flaw in Nomad’s smart contract to let users withdraw money from the bridge that wasn’t theirs.
Nomad Bridge hack: Race for all
Coinbase’s threat intelligence researcher Peter Kacherginsky and senior associate of special investigations Heidi Wilder confirmed what many had suspected: that hundreds of “copycats” joined the fray once the original hackers figured out how to steal money.
The recipient addresses, target token, and token value were changed, but the copycats used the exact identical code.
The first two hackers breached quickly, but as soon as the copycats figured out the trick, it was a competition to see who could steal the most funds.
The original hackers first attacked the Bridge’s wrapped-Bitcoin (wBTC), then USD Coin (USDC), and wrapped-ETH (wETH), according to the Coinbase analysts.
Because the wBTC, USDC, and wETH tokens were present in the bridge’s highest populations, it made the perfect opportunity for original hackers to start with these tokens.
White-hatters make a move
Surprisingly, on August 9, Nomad Bridge’s plea for stolen funds garnered a 17% return, with the majority of those tokens being USDC, USDT, and wBTC.
Because the original hackers largely used wBTC and wETH, the fact that the bulk of the funds returned was in the form of USDC and USDT shows that most of the cash returned was from white-hat “copycats.”
As of Aug. 9, 49% of the stolen money had already been transferred from each recipient’s address to a different location.
The first three recipient addresses were funded via Tornado Cash, an Ethereum-based technology that enables anonymous transactions, according to Coinbase’s report. On Monday, all USDC and ETH addresses connected to the protocol were sanctioned by the U.S.Treasury.
Following the $250 million Wormhole Bridge attack in February and the $540 million Ronin Bridge hack in March, the Nomad Bridge exploit has grown to become the fourth largest DeFi hack ever and the third largest in 2022. These cross-chain bridges have been criticized for being overly centralized, which makes them a prime target for attackers.