top of page
  • J McGlynn and M Bacina

A reminder on digital asset protection: Solana and Nomad Bridge Hack

Updated: May 3

Nomad, a cryptocurrency bridge that lets users swap tokens between blockchains, and Solana, a leading blockchain and challenger to Ethereum, have fallen victim to two extremely damaging exploits in recent days, seeing millions in value drained from user wallets.

The Nomad Hack: Copy Paste ... Theft

An incident analysis by the crypto-security platform Certik revealed the method of the Nomad hack which saw USD$190m drained from user wallets due to an embarrassing upgrade SNAFU:

a routine upgrade allowed verification messages to be bypassed on Nomad.

After an initial attacker identified the flaw in Nomad's updated system which allowed the verification process of a transaction to be bypassed, and the funds in a transaction moved to a wallet without the original wallet owner's permission, others jumped on the bandwagon by copying and pasting the original attackers transaction and replacing the destination with their own wallet address.

While this hack is a bit of a damning indictment on the honesty of people in general, the Solana hack, seems far more serious.

Solana: Icarus' favoured chain?

According to reports, the Solana hack does not seem to have arisen as a result of a bug within the core source code of the blockchain but rather due to popular, and potentially malicious, software connected to a significant number of Solana wallets.

Phantom, Slope and Trust – three crypto hot-wallet providers –have been identified as being comprised, however much remains unknown at this early stage as investigations continue to discover the extent, source and nature of the exploit are still underway

Phantom announced:

We are working closely with other teams to get to the bottom of a reported vulnerability in the Solana ecosystem...At this time, the team does not believe this is a Phantom-specific issue. As soon as we gather more information, we will issue an update.

While the Nomad and Solana hacks are unconnected, both serve as a good reminder for crypto users on the importance of taking pro-active steps to protect their crypto assets.

Decentralised systems have a number of benefits which include the increased transparency and security of transactions, but the private keys and smart contracts which support these systems do to an extent remain a point of vulnerability which should not be overlooked. That is why good privacy practice and cold storage of wallets is always recommended.

The most useful maxim remains: "not your keys, not your crypto".


bottom of page