Hackers have stolen $190m in cryptocurrency from Nomad Token Bridge, a platform that allows users to exchange tokens between blockchains. The heist, described by a researcher as “one of the most chaotic hacks web3 has ever seen,” is the sixth-largest crypto theft to date, and a further sign of the security flaws of the crypto ecosystem.
Yesterday evening, crypto security researchers noticed a series of high-value transactions moving cryptocurrencies off the bridge. Within a matter of hours, Nomad Token Bridge’s holdings fell from $190m in various cryptocurrencies to just $1,794,
Twitter user @samczsun, a security researcher at crypto investment firm Paradigm, described the scene as a “frenzied free for all”.
Nomad, the organisation that operates the Nomad Token Bridge, acknowledged the incident in the early hours of this morning.
“We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics,” the company said in its most recent update. “Our goal is to identify the accounts involved and to trace and recover the funds.”
The incident is the sixth-largest crypto theft to date. The biggest so far is the theft earlier this year of $614m in cryptocurrency from Ronin, an exchange that allows players of the Axie Infinity ‘play to earn’ videogame to swap in-game tokens for cryptocurrency.
Nomad Token Bridge hack: how did it happen?
The Nomad Token Bridge hack resulted from a security flaw in the protocol's code introduced during a routine upgrade, according to @samczsun. Hackers could simply edit a previous transaction adding their own address as the destination, and the protocol would approve it.
Once one hacker had successfully used the exploit, hundreds of others followed suit. The tokens that were lost include WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax, Covalent Query Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai, GeroWallet (GERO), Card Starter (CARDS), Saddle DAO and Charli3 (C3).
Web3 developer Foobar described it as “the first de-centralised crowd looting of a nine-figure bridge in history", while @samczsun dubbed it “one of the most chaotic hacks web3 has ever seen".
What is Nomad Token Bridge?
Nomad Token Bridge allows users to transfer cryptocurrency tokens from one blockchain to another. It describes itself as a "security-first cross-chain messaging protocol".
Just last week, the company announced that it had raised $22.4m from investors including Coinbase Ventures and Polygon. "Nomad’s primary goal is to create a safer crypto ecosystem where blockchains can communicate seamlessly and securely with each other," the company said in its fund-raising announcement.
"With more than $1.5bn stolen this year by hackers exposing vulnerabilities in cross-chain bridges, the industry is in need of security-first solutions that maximise the safety of users, funds, and messages."
Other cross-chain bridges to have been robbed include Poly Network, which lost $611m to hackers in August 2021
In the first half of this year, web3 projects lost $2bn to theft and scams, according to research by specialist security provider CertiK.
This vulnerability raises questions about the viability of decentralised finance and other related concepts. A number of decentralised autonomous organisations (DAOs) - entities that are collectively governed blockchain-based smart contracts - have been the victims of crypto theft, and the ensuing investigations have called their legal status into question.