Hackers drain nearly $200 million from crypto startup Nomad

Hackers drained nearly $200 million in cryptocurrency from Nomad, a tool that allows users to swap tokens from one blockchain to another, in another attack highlighting weaknesses in the financial space decentralized.

Nomad acknowledged the exploit in a tweet on Monday evening.

“We are aware of the incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”

It’s unclear how the attack was orchestrated, or whether Nomad plans to reimburse users who lost tokens in the attack. The company, which markets itself as a “secure cross-chain messaging” service, was not immediately available for comment when contacted by CNBC.

Blockchain security experts described the exploit as “free for everyone”. Anyone familiar with the exploit and how it works could grab the loophole and withdraw an amount of tokens from Nomad – much like an ATM spitting out cash at the push of a button.

It started with a code update from Nomad. Part of the code was marked as valid each time users decided to initiate a transfer, allowing thieves to withdraw more assets than those deposited on the platform. Once other attackers realized what was going on, they deployed armies of bots to carry out copycat attacks.

“Without prior programming experience, any user could simply copy the original attackers’ transaction call data and replace the address with their own to exploit the protocol,” said Victor Young, founder and architect at head of crypto startup Analog.

“Unlike previous attacks, the Nomad hack became a free game where multiple users began draining the network by simply replaying the original attackers’ transaction call data.”

Sam Sun, research partner at crypto-focused investment firm Paradigm, describe the exploit as “one of the most chaotic hacks Web3 has ever seen” – Web3 being a hypothetical future iteration of the internet built around blockchain technology.

Nomad is a so-called “bridge”, a tool that allows users to exchange tokens and information between different cryptonets. They are used as an alternative to direct transactions on a blockchain like Ethereum, which can charge users high processing fees when there is a lot of activity going on at the same time.

Cases of vulnerabilities and poor design have made bridges a prime target for hackers looking to defraud millions of investors. Over $1 billion worth of crypto assets have been stolen through bridge exploits so far in 2022, according to a report by crypto compliance firm Elliptic.

In April, a blockchain bridge called Ronin was exploited in a $600 million crypto heist, which US officials have since attributed to the North Korean state. A few months later Harmony, another bridge, was drained of $100 million in a similar attack.

Like Ronin and Harmony, Nomad was targeted by a flaw in its code – but there were a few differences. Thanks to these attacks, the hackers were able to recover the private keys needed to take control of the network and start moving the tokens. In the case of Nomad, it was much simpler than that. A routine bridge update allowed users to fake transactions and get away with millions of crypto.