Hackers drain almost $200mln in cryptocurrency from Nomad

It’s not entirely clear how the attack was orchestrated, or if Nomad plans to reimburse users who lost tokens in the attack

Hackers drained almost $200 million in cryptocurrency from Nomad, a tool that lets users swap tokens from one blockchain to another, in yet another attack highlighting weaknesses in the decentralised finance space.

Nomad acknowledged the exploit in a tweet late Monday.

We are aware of the incident involving the Nomad token bridge, the startup said. We are currently investigating and will provide updates when we have them.

It’s not entirely clear how the attack was orchestrated, or if Nomad plans to reimburse users who lost tokens in the attack.

Blockchain security experts described the exploit as a “free-for-all.” Anyone with knowledge of the exploit and how it worked could seize on the flaw and withdraw an amount of tokens from Nomad — sort of like a cash machine spewing out money at the tap of a button.

It started with an upgrade to Nomad’s code. One part of the code was marked as valid whenever users decided to initiate a transfer, which allowed thieves to withdraw more assets than were deposited into the platform. Once other attackers cottoned on to what was going on, they deployed armies of bots to carry out copycat attacks.

Without prior programming experience, any user could simply copy the original attackers’ transaction call data and substitute the address with theirs to exploit the protocol, said Victor Young, founder and chief architect of crypto startup Analog.

Unlike previous attacks, the Nomad hack became a free-for-all where multiple users started to drain the network by simply replaying the original attackers’ transaction call data, he said.

Sam Sun, research partner at crypto-focused investment firm Paradigm, described the exploit as ‘one of the most chaotic hacks that Web3 has ever seen’ — Web3 being a hypothetical future iteration of the internet built around blockchain technology.

Nomad is what’s known as a “bridge,” a tool that lets users exchange tokens and information between different crypto networks. They’re used as an alternative to making transactions directly on a blockchain like Ethereum, which can charge users high processing fees when there’s lots of activity happening at once.

Instances of vulnerabilities and poor design have made bridges a prime target for hackers seeking to swindle investors out of millions. More than $1 billion in crypto assets has been stolen through bridge exploits so far in 2022, according to a report from crypto compliance firm Elliptic.