Hackers drain nearly $200 million from crypto firm Nomad

Billions of dollars in value have been wiped out of the cryptocurrency market in recent months. Companies in the industry are feeling the pain. Credit and trading companies are facing a liquidity crisis and many companies have announced layoffs.

Yu Chun Christopher Wong | S3studio | Getty Images

Hackers siphoned off nearly $200 million in cryptocurrency from Nomad, a tool that allows users to exchange tokens from one blockchain to another, in yet another attack that highlights vulnerabilities in the decentralized finance space.

Nomad acknowledged the abuse in a tweet late Monday.

“We are aware of the incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”

It’s not entirely clear how the attack was orchestrated or whether Nomad plans to refund users who lost tokens in the attack. The company, which markets itself as a “secure chain messaging service,” was not immediately available for comment when contacted by CNBC.

Blockchain security experts described the exploit as a “free-for-all.” Anyone with knowledge of the manipulation and how it worked could catch the bug and take out loads of tokens from Nomad – like a money machine that spits out money at the click of a button.

It started with an update to Nomad’s code. One part of the code was marked as valid each time users decided to initiate a transfer, allowing thieves to withdraw more assets than was deposited into the platform. Once other attackers realized what was happening, they sent armies of bots to carry out copycat attacks.

“With no prior programming experience, any user could simply copy the original attackers’ business call data and replace the address with theirs to exploit the protocol,” said Victor Young, founder and chief architect of crypto startup Analog.

“Unlike previous attacks, the Nomad hack became a free-for-all as many users began draining the network by simply replaying the original attackers’ data.”

Sam Sun, research associate at crypto-focused investment firm Paradigm, described feat as “one of the most chaotic hacks Web3 has ever seen” — Web3 is an imagined future iteration of the Internet built around blockchain technology.

Nomad is what is known as a “bridge,” a tool that allows users to exchange tokens and information between different crypto networks. They are used as an alternative to doing transactions directly on blockchains like Ethereum, which can charge users high processing fees when a lot of activity is happening at once.

Instances of vulnerabilities and poor design have made bridges prime targets for hackers trying to defraud investors out of millions. More than $1 billion in crypto assets have been stolen through hacking so far in 2022, according to a report from crypto firm Elliptic.

In April, a blockchain bridge called Ronin was used in a $600 million crypto heist, which US officials have since traced to the North Korean state. A few months later, Harmony, another bridge, was drained of $100 million in a similar attack.

Like Ronin and Harmony, Nomad was targeted for a flaw in the code – but there were some differences. Through these attacks, hackers were able to obtain the private keys needed to gain control of the network and begin exporting tokens. In Nomad’s case, it was much simpler than that. A routine update to the bridge allowed users to fake transactions and make off with millions worth of crypto.

Leave a Comment