Nomad lost almost $190 million TVL in “Decentralized Heist”
Cross-chain token bridge Nomad was breached on Monday, resulting in a loss of nearly $200 million worth of cryptocurrency.
In a statement published On Twitter, the trading platform confirmed the hacking incident:
“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.”
The protocol also warned that “impersonators posing as Nomad and providing false addresses to collect funds,” adding: “We do not yet provide instructions for returning bridge funds. Disregard communications from all channels other than Nomad’s official channel.”
As a kind of cross-chain bridge, the protocol allows users to exchange different tokens, such as Ethereum (ETH), Avalanche (AVAX), Evmos (EVMOS), Milkomeda C1 and Moonbeam (GLMR).
Citing the data from DeFi Llama, a Defi tracking data platform, the total value locked (TVL) of Nomad reached $190 million before the exploit, according to online media Cryptonews. The platform showed that the TVL of Nomad was still less than $11,000 at the time of writing.
TVL is the amount of user funds that have been put into one decentralized finance (DeFi) protocol.
Source: DefiLlama
Another cybersecurity platform BlockSec estimates the total loss in this event is estimated to be worth around $150 million in Tether (USDT). The monitoring platform suggested that there may be some loopholes in Nomad’s verification procedure among functions: “Since an uninitialized storage space is always considered null, the attacker can actually send any message that has never appeared before to bypass the verification procedure.”
Anonymous Terra researcher FatMan described the incident as “the first decentralized heist,” adding that “all one had to do was copy the first hacker’s transaction and change the address, then hit send through Etherscan.”
Online media outlet CoinDesk explained that bridges typically work by unlocking tokens in a smart contract on one chain and then releasing those tokens in “wrapped” form on another chain.
In addition, if the smart contract where the tokens are initially deposited is sabotaged in relation to Nomad’s situation, the wrapped tokens may no longer have any protection, resulting in losing their values.
Last month, Nomad announced that it had secured a strategic investment of $22.4 million in April from various investors, including OpenSea, CoinBase Ventures, Crypto.com and Polygon.
Ironically, the latest security hole may make the company feel embarrassed about keeping its promises and pursuing ambitions, as Nomad showed its determination by setting its primary goal to “create a safer crypto ecosystem where blockchains can seamlessly and securely communicate with each other,” according to its press release.
The company estimated that more than $1.5 billion was stolen this year by hackers who exposed vulnerabilities in chain bridges, indicating that the industry needs security-first solutions that maximize the safety of users, funds and messages.
Image source: Nomad, DefiLlama