Nomad, a startup that allows users to trade cryptocurrency tokens between different blockchains, has acknowledged losses of nearly $200 million in crypto due to an apparent security vulnerability.
Crypto hacks certainly aren’t new, and blockchain bridges are frequent targets. In June, Harmony’s Horizon bridge lost approximately $100 million in various cryptocurrencies.
However, the Nomad hack is notable because of — ironically — its decentralization. Hundreds of people may have participated in the attack, which wasn’t coordinated or planned; new hackers simply copied the exploit of the first hacker (who made off with $2.3 million, per a report from CoinTelegraph).
Gizmodo reports that a routine upgrade allowed hackers to skip verification messages included in the bridge’s initialization process. Anyone with knowledge of the exploit was able to remove crypto from the Nomad system — and some bad actors immediately drained millions from the accounts of other users.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
Within about four hours, Nomad’s resources were nearly depleted. One analyst referred to the attack as “the first decentralized crowd-looting of a 9-figure bridge in history.”
From $190,740,000 to $1,794 in hours
But it wasn't a flashloan, or even carried out by a single group
After an initial attacker struck, hundreds of separate accounts figured out the trick and copypasta-ed their way into grabbing stolen funds pic.twitter.com/ef0A9djdnf
— foobar (@0xfoobar) August 2, 2022
Nomad joins a growing list of major crypto hacks.
While crypto markets have fallen in value over the past several months, they still store enormous assets — and when an exchange or bridge has a security vulnerability, bad actors will take advantage.
At time of publication, Nomad hasn’t announced specific plans to reimburse victims. However, the company has said that they’re working behind the scenes to “coordinate the return of funds.”
“We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics,” the startup wrote on Twitter. “Our goal is to identify the accounts involved and to trace and recover the funds.”
“Thank you to our many white hat friends who acted proactively and are safeguarding funds. Please continue to hold them until we provide further instructions on this thread.”
Generally, when crypto assets are lost to hackers, they’re gone for good. We offer cryptocurrency recovery services for every type of asset, but our service is limited to situations in which a hard copy of the user’s wallet exists — or the user knows some of the words from their seed phrase.
We urge crypto investors to exercise caution when storing assets on bridges and online cryptocurrency platforms. To learn more about our cryptocurrency recovery services, contact us at 1-800-237-4200 or submit a case online.