Yoo Chun Christopher Wong | S3studio | Getty Images
Hackers drained nearly $200 million worth of cryptocurrency from Nomad, a tool that allows users to switch tokens from one blockchain to another, in another attack that highlights vulnerabilities in the field of decentralized finance.
Nomad admitted to the exploitation in a tweet late Monday.
“We are aware of the incident related to the symbolic Bedouin bridge,” the startup said. “We are currently investigating and will provide updates when we get them.”
It is not entirely clear how the attack was organized, or whether Nomad plans to compensate users who lost tokens in the attack. The company, which markets itself as a “secure cross-chain messaging” service, was not immediately available for comment when contacted by CNBC.
Blockchain security experts described the vulnerability as “free for all.” Anyone with knowledge of the exploit and how it works can exploit the flaw and withdraw an amount of Nomad tokens – sort of like a cash machine that spends money with the press of a button.
I started upgrading the Nomad token. One piece of the code was marked as valid when users decided to initiate a transfer, which allowed thieves to withdraw more assets than was deposited in the platform. Once the other attackers were focused on what was happening, they deployed armies of bots to carry out mock attacks.
“Without prior programming experience, any user can simply copy the transaction call data of the original attackers and replace the address with their address to exploit the protocol,” said Victor Young, founder of Crypto Startup Analog.
“Unlike previous attacks, the Nomad hack became free for everyone as many users started draining the network once the attackers’ original transaction call data was restarted.”
Sam Sun, research partner at crypto-focused investment firm Paradigm, describe it Exploited as “one of the most chaotic hacks that Web3 has ever seen” – Web3 is a hypothetical future iteration of the Internet built on blockchain technology.
Nomad is what is known as a “bridge,” a tool that allows users to exchange codes and information between different cryptographic networks. They are used as an alternative to conducting transactions directly on the blockchain such as Ethereum, which can charge users high processing fees when there is a lot of activity happening simultaneously.
Weaknesses and poor design have made the bridges a prime target for hackers seeking to defraud investors of the millions. More than $1 billion in crypto assets have been stolen through bridge exploits so far in 2022, according to a report by crypto compliance firm Elliptic.
In April, a blockchain bridge called Ronin was exploited in a $600 million crypto heist, which US officials have since attributed to the North Korean nation. A few months later, the $100 million Harmony Bridge, another bridge, was drained in a similar attack.
Like Ronin and Harmony, Nomad was targeted by a flaw in its code – but there were a few differences. With these attacks, the hackers were able to retrieve the private keys needed to take control of the network and start transferring the tokens. In Nomad’s case, it was much simpler than that. The routine update of the bridge enabled users to transact and earn millions of cryptocurrencies.