Hackers stole nearly $200 million in cryptocurrency from Nomad, a program that allows users to shift tokens from one blockchain to another, in yet another attack highlighting weaknesses in the decentralized finance space.
Late on Monday, Nomad acknowledged the exploit in a tweet.
“We are aware of the incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”
It’s unclear exactly how the attack was planned or whether Nomad intends to compensate users who lost tokens in the hack. The startup, which bills itself as a “secure cross-chain messaging” service, no one was available to comment right away.
Anyone with knowledge of the attack and how it functioned could take advantage of the flaw and withdraw a certain quantity of tokens from Nomad — similar to a cash machine dispensing money at the touch of a button, according to blockchain security experts.
Like previous cross-chain bridges, Nomad enables users to transfer tokens back and forth between several blockchains. The attack on Monday is the most recent in a line of widely reported instances that have raised concerns about the safety of cross-chain bridges.
In a statement, the Nomad team admitted to the exploit. Leading organizations for blockchain intelligence and forensics have been retained, according to the team, and an investigation is still ongoing.
“We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds.”
It all began with a code upgrade for Nomad. When customers chose to start a transfer, one portion of the code was marked as genuine, allowing fraudsters to withdraw more money than was initially put into the platform. Once other attackers saw what was happening, they sent forth legions of bots to launch imitation attacks.
Without any prior programming knowledge, any user could easily duplicate the transaction call data from the initial attackers and replace the address with their own to take advantage of the protocol, according to Victor Young, founder and chief architect of crypto company Analog.
By merely replicating the transaction call data from the initial attackers, the Nomad breach turned into a free-for-all where several users began to deplete the network, unlike earlier attacks.
The vulnerability was dubbed “one of the most chaotic hacks that Web3 has ever seen” by Sam Sun, research partner at cryptocurrency investment firm Paradigm. Web3 is a fictitious future version of the internet based on blockchain technology.
Nomad is a “bridge,” or tool, that enables users to transfer tokens and data between several crypto networks. When there is a lot of activity going on at once, a blockchain like Ethereum may charge consumers a lot in processing costs, therefore they are employed as an alternative.
Bridges have been a popular target for hackers looking to defraud investors out of millions of dollars due to instances of weaknesses and bad construction. According to a research by the cryptocurrency compliance company Elliptic, more than $1 billion in cryptocurrency assets have been stolen using bridge attacks so far in 2022.
A $600 million cryptocurrency robbery took place in April via a blockchain bridge named Ronin, which U.S. officials have now linked to the North Korean government. A few months later, a similar attack on Harmony, another bridge, resulted in the loss of $100 million.
