Hackers drain nearly $200 million from crypto startup Nomad
Billions of dollars in value have been wiped out of the cryptocurrency market in recent months. Companies in the industry are feeling the pain. Lending and trading companies are facing a liquidity crisis and many companies have announced layoffs.
Yu Chun Christopher Wong | S3studio | Getty Images
Hackers siphoned off nearly $200 million in cryptocurrency from Nomad, a tool that allows users to exchange tokens from one blockchain to another, in yet another attack that highlights weaknesses in the decentralized finance space.
Nomad acknowledged the exploit in a tweet late Monday.
“We are aware of the incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”
It is not entirely clear how the attack was orchestrated, or whether Nomad plans to refund users who lost tokens in the attack. The company, which markets itself as a “cross-chain secure messaging service,” was not immediately available for comment when contacted by CNBC.
Blockchain security experts described the exploit as a “free-for-all”. Anyone with knowledge of the exploit and how it worked could catch the bug and withdraw an amount of tokens from Nomad – sort of like an ATM spewing money at the push of a button.
It started with an upgrade to Nomad’s code. A portion of the code was marked as valid each time users decided to initiate a transfer, allowing the thieves to withdraw more assets than were deposited into the platform. As soon as other attackers became aware of what was going on, they deployed armies of bots to carry out copycat attacks.
“Without prior programming experience, any user can simply copy the original attacker’s transaction call data and replace the address with theirs to exploit the protocol,” said Victor Young, founder and chief architect of crypto startup Analog.
“Unlike previous attacks, the Nomad hack became a free-for-all where multiple users began draining the network by simply replaying the original attackers’ transaction call data.”
Sam Sun, research partner at crypto-focused investment firm Paradigm, described the exploit as “one of the most chaotic hacks that Web3 has ever seen” – Web3 is a hypothetical future iteration of the internet built around blockchain technology.
Nomad is what is known as a “bridge”, a tool that allows users to exchange tokens and information between different crypto networks. They are used as an alternative to transacting directly on a blockchain like Ethereum, which can charge users high processing fees when there is a lot of activity happening at once.
Incidences of vulnerabilities and poor design have made bridges a prime target for hackers trying to swindle investors out of millions. More than $1 billion in crypto assets have been stolen through bridging exploits so far in 2022, according to a report by crypto compliance firm Elliptic.
In April, a blockchain bridge called Ronin was exploited in a $600 million crypto heist, which US officials have since attributed to the North Korean state. A few months later, Harmony, another bridge, was drained of $100 million in a similar attack.
Like Ronin and Harmony, Nomad was targeted through a bug in the code – but there were a few differences. With these attacks, hackers were able to obtain the private keys needed to gain control of the network and begin moving out tokens. In Nomad’s case, it was much simpler than that. A routine update of the bridge allowed users to fake transactions and get away with millions worth of crypto.