View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 2, 2022updated 12 Oct 2022 10:02am

Hackers steal $190m from Nomad Token Bridge in sixth-largest crypto theft to date

'Chaotic' heist on cross-chain messaging protocol is the latest to reveal the cybersecurity shortcomings of web3.

By Claudia Glover

Hackers have stolen $190m in cryptocurrency from Nomad Token Bridge, a platform that allows users to exchange tokens between blockchains. The heist, described by a researcher as “one of the most chaotic hacks web3 has ever seen,” is the sixth-largest crypto theft to date, and a further sign of the security flaws of the crypto ecosystem.

Nearly $200m was drained from the protocol in a ‘frenzied free for all’. (Photo by _ultraforma_ / iStock)

Yesterday evening, crypto security researchers noticed a series of high-value transactions moving cryptocurrencies off the bridge. Within a matter of hours, Nomad Token Bridge’s holdings fell from $190m in various cryptocurrencies to just $1,794,

Twitter user @samczsun, a security researcher at crypto investment firm Paradigm, described the scene as a “frenzied free for all”.

Nomad, the organisation that operates the Nomad Token Bridge, acknowledged the incident in the early hours of this morning.

“We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics,” the company said in its most recent update. “Our goal is to identify the accounts involved and to trace and recover the funds.”

The incident is the sixth-largest crypto theft to date. The biggest so far is the theft earlier this year of $614m in cryptocurrency from Ronin, an exchange that allows players of the Axie Infinity ‘play to earn’ videogame to swap in-game tokens for cryptocurrency.

Nomad Token Bridge hack: how did it happen?

The Nomad Token Bridge hack resulted from a security flaw in the protocol's code introduced during a routine upgrade, according to @samczsun. Hackers could simply edit a previous transaction adding their own address as the destination, and the protocol would approve it.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Once one hacker had successfully used the exploit, hundreds of others followed suit. The tokens that were lost include WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax, Covalent Query Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai, GeroWallet (GERO), Card Starter (CARDS), Saddle DAO and Charli3 (C3). 

Web3 developer Foobar described it as “the first de-centralised crowd looting of a nine-figure bridge in history", while @samczsun dubbed it “one of the most chaotic hacks web3 has ever seen".

What is Nomad Token Bridge?

Nomad Token Bridge allows users to transfer cryptocurrency tokens from one blockchain to another. It describes itself as a "security-first cross-chain messaging protocol".

Just last week, the company announced that it had raised $22.4m from investors including Coinbase Ventures and Polygon. "Nomad’s primary goal is to create a safer crypto ecosystem where blockchains can communicate seamlessly and securely with each other," the company said in its fund-raising announcement.

"With more than $1.5bn stolen this year by hackers exposing vulnerabilities in cross-chain bridges, the industry is in need of security-first solutions that maximise the safety of users, funds, and messages."

Other cross-chain bridges to have been robbed include Poly Network, which lost $611m to hackers in August 2021

In the first half of this year, web3 projects lost $2bn to theft and scams, according to research by specialist security provider CertiK.

This vulnerability raises questions about the viability of decentralised finance and other related concepts. A number of decentralised autonomous organisations (DAOs) - entities that are collectively governed blockchain-based smart contracts - have been the victims of crypto theft, and the ensuing investigations have called their legal status into question.

Read more: The biggest cryptocurrency hacks of all time

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.