Nomad in an on-chain message requests attackers to return funds to the ENS address nomadexploit.eth to classify them as a whitehat. Further, Nomad clarified that no action will be taken against anyone who promises to return funds and will be rewarded with a 20% bounty.
Nomad Requests Attackers To Return Funds for 20% Bounty
Nomad token bridge platform has requested attackers to return funds to classify them as whitehat and promises no further actions against them. Those who return funds will be rewarded with a 20% bounty.
The details were revealed in an on-chain message in a transaction. Nomad requests everyone to send all the tokens to ENS nomadexploit.eth with address 0x673477e1438a0e09Ba16e2C56F8A701C3317942c.
“We appreciate your effort, we will this action as a whitehat, and we won’t take any further actions against you requesting you to transfer all the tokens from your address to our below-mentioned ENS and get a bounty of 20%.”
Many users previously left on-chain messages claiming them to be a whitehat and plan to return the funds. Users are waiting for official communication from the Nomad team. Also, users request the Nomad team to announce a bounty.
A user said “I have not swapped any assets even after knowing that USDC can be frozen. Transferred USDC, FRAX, and CQT token from other addresses in order to consolidate.”
More than 41 addresses were recorded by PeckShieldAlert, which includes 7 MEV bots, Rari Capital Arbitrum exploiter, and 6 White hats. The addresses collected about $152 million, almost 80% of the Nomad exploit. Moreover, nearly 10% of these addresses with ENS names grabbed $6.1 million.
The Hack Could Have Been Prevented
The $200 million Nomad bridge exploit is an example of the risks of avoiding audit findings. Nomad team misunderstood the issue in the section QSP-19 Proving With An Empty Leaf of the audit report.
According to a Reddit post, the audit team believed the issue is related to proving that empty bytes are included in the tree. “Empty bytes are the default nodes of a sparse Merkle tree. Therefore, anyone can call the function with an empty leaf and update the status to be proven.”
The attackers used the same way to hack the Nomad bridge. Attackers exploited the process function 0x000000 as proof of the transaction. Users copied the first hacker’s transaction and change the address, making it the first decentralized exploit. Three address has over $90 million from the exploit, as per a Dune analytics dashboard.