Skip to content
Hackers abuse ‘chaotic’ Nomad exploit to drain nearly $200 million in crypto – TechCrunch

Cross-chain messaging protocol Nomad has become the target of crypto’s latest nine-digit attack after hackers abused a “chaotic” security exploit to steal nearly $200 million in digital assets.

Nomad, a token bridge that allows users to send and receive tokens between Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS), Moonbeam (GLMR), and Milkomeda C1 blockchains, was attacked on Monday , with the hackers draining almost the entire protocol fund.

Around $190.7 million in crypto was stolen from the bridge, according to decentralized finance tracking platform DeFi Llama, which shows that the current total value locked — the amount of user funds deposited into a DeFi protocol — is less than $12,000 at the time of writing.

Nomad has yet to confirm how the hackers were able to steal the funds. But according to samczsun, the chief security officer of investment firm web3 Paradigm, a recent update to one of Nomad’s smart contracts has made it easy for users to spoof transactions. This meant that when a user transferred funds from one blockchain to another, Nomad would never verify the amount, allowing the user to withdraw funds that did not belong to them. For example, a user could send 1 ETH, for example, and then manually call the smart contract on the other blockchain to receive 100 ETH. Blockchain audit company Zellic also came to the same finding.

“It’s like using a checkbook to withdraw funds from a bank, and the bank doesn’t check to see if we actually have enough money,” said Adrian Hetman, technical manager of the web3 bug triage program team. bounty Immunefi, at TechCrunch. “They only care that the check itself looks valid.”

Samczun explains that unlike most bridge attacks where a single culprit is behind the entire exploit, the “chaotic” Nomad attack was free-for-all in which opportunists flocked to steal funds from the bridge once that the word had been circulating, resulting in what the researcher described as a “frenzied free-for-all”. blockchain security company Shield said more than 41 addresses had drained $152 million – or 80% of the stolen funds.

“All that was needed to exploit it was to copy the original hacker’s transaction and change the original address to a custom one. Simple copy and paste,” Hetman added.

The incident affected Wrapped Ether (WETH), USD Coin (USDC), WBTC and other tokens that were drained from the bridge.

TechCrunch has contacted Nomad but has yet to receive a response. However, the company caught on Twitter to warn of impersonators trying to raise funds. “We are aware of impersonators posing as Nomad and providing fraudulent addresses to raise funds,” he said. “We are not yet providing instructions for returning the bridging funds. Disregard communications from any channels other than the official Nomad channel. »

In a separate tweet, Nomad confirmed that it had notified law enforcement and engaged the services of leading blockchain intelligence and forensics companies to “identify accounts involved and trace and recover funds.” .

The attack comes just days after Nomad revealed that a number of high-profile crypto investors including Coinbase Ventures, OpenSea, Polygon, and Capital participated in its $22 million seed round in April, which earned the company a valuation of $225 million.

“At Nomad, our goal is to make communication more secure through blockchains,” Nomad said last week. “We believe that secure cross-chain messaging is the key to uniting DeFi ecosystems and unlocking the true power and potential of the block space, wherever it is.”

The Nomad attack is the latest in a series of high-profile incidents that have called into question the security of cross-chain bridges. Axie Infinity’s Ronin Bridge lost over $600 million in a hack in April this year and Harmony’s Horizon Bridge was drained of $100 million in June.


Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.