Nomad crypto hack turns into mass theft of $190 million
It’s not a great day for the Nomad cryptocurrency project, nor for its high-profile investors.
Nomad is a cross-chain bridge, meaning it allows users to transfer cryptocurrency tokens from one blockchain to another. So if you want to move some ETH, USDC or WBTC from the Ethereum blockchain to the Moonbeam blockchain, Nomad makes it as easy as a couple of clicks.
Behind the scenes, the bridge “locks” your money on one side and spits out the same amount in so-called “wrapped” tokens on the other side. Over time, if a bridge is popular, it can have a lot of funds (think hundreds of millions) locked up in its smart contracts, and if someone finds a security hole in those smart contracts, some or all of those funds can be stolen. An additional problem with crypto bridges, as once pointed out by Ethereum founder Vitalik Buterin, is that they are designed to be vulnerable to two-sided attacks.
In the case of Nomad, as pointed out by several experts on Twitter, it appears that a flaw in the smart contract allowed anyone to engineer a cryptocurrency transaction in such a way as to send one amount of crypto on one side but receive a larger amount on the other side. Yes, you can literally send 0.1 BTC on one side and get 100 BTC on the other side.
This is where things get interesting. Usually, when a security hole like this is discovered, a competent hacker or a small group will drain all the funds within minutes. But this time, after someone stole some money from the Nomad bridge, others joined in and took some money for themselves.
One reason this was possible was that the security hole was so obvious that it didn’t require much expertise to replicate. As security researchers @samczsun pointed out, “all you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then rebroadcast it,” and that’s exactly what people did. Think of it as the crypto equivalent of mass looting, with one person breaking a shop window and hundreds joining in to steal what they can.
Word is not final on the total amount that was stolen, but it appears that all of Nomad’s funds were drained, and estimates go up to $190 million. The good thing is that in the case of open to all, high profile hacks like this, white hat hackers will often drain some of the funds to keep them safe and return them later, but it’s hard to assess. how much of that happened in this particular case.
Tweet may have been deleted
(opens in a new tab)
Nomad, which ironically calls itself the “security-first cross-chain protocol” and claims its mechanism requires “one honest actor to keep the entire system safe,” said on Twitter that it is looking into the hack. The company told CoinDesk that it has notified law enforcement and that the goal is to “identify the accounts involved and to trace and recover the funds.” Users should not use the Nomad Bridge at least until the issue is resolved.
Tweet may have been deleted
(opens in a new tab)
The Moonbeam Network went into “maintenance mode” after the hack, meaning regular users were unable to transact on the network. The team took back the network after concluding that the security incident was not connected to the Moonbeam codebase.
The Nomad hack is not the only or even the biggest cryptocurrency hack in history; in March 2022, more than half a billion dollars was stolen from Ronin, and in June 2022, $100 million was stolen from Harmony.
Nomad is known to be a very popular bridge on the Moonbeam and Evmos networks, and to have received a $22.4 million seed round just days ago, with investors such as high-profile companies including Coinbase, OpenSea, and Crypto.com.
/cloudfront-us-east-1.images.arcpublishing.com/gray/EGZNYYACNFKXBP24I4RBQ5QWPI.jpg "How to stream Gonzaga vs. Saint Mary’s (CA) game live")
