The Nomad Token Bridge drained $190 million of funds in a security exploit

The Nomad token bridge appears to have been hit by a security exploit that allowed hackers to systematically drain the bridge’s funds over a long chain of transactions.

Nearly $190.7 million of cryptocurrency has been removed from the bridge, with only $651.54 left in the wallet, according to decentralized finance (DeFi) tracking platform DeFi Llama.

The first suspicious transaction, which may have been the genesis of the ongoing exploit, came at 9:32 PM UTC when someone managed to remove 100 WBTC worth about $2.3 million from the bridge.

Shortly after the community raised alarm bells about the potential exploitation, the Nomad team confirmed at 11:35pm UTC that it was aware of the “incident related to the iconic Nomad Bridge” adding that it was “currently investigating the incident”. The team did not immediately respond to a request for comment.

The incident saw WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), and GeroWallet (GERO) , Card Starter (CARDS), Saddle DAO (SDL), and Charli3 (C3) tokens taken from the bridge.

The exploiters have removed tokens in an unusual way as nearly every token has been removed from the equivalent classes. For example, transactions amounting to exactly 202,440.725413 USD were executed more than 200 times.

Nomad is a token bridge that allows token transfer between Avalanche (AVAX), ethereum (ETH), Evmos (EVMOS), Milkomeda C1 and Moonbeam (GLMR).

Unlike other vulnerabilities that became fairly common in 2022, this event has so far contained hundreds of addresses receiving tokens directly from the bridge.

Meanwhile, Polkadot Network’s Moonbeam smart contract platform, whose original GLMR token was targeted in the Nomad exploit, has entered the Maintenance work At 11:18 PM UTC “to investigate a security incident.” As a result, Moonbeam functionality such as normal user transactions and smart contract interactions will be disabled.

The attack came early for the bridge, whose first investors raised donations in April. On July 29, the project was revealed in a tweet Coinbase Ventures, OpenSea and five other major companies in the cryptocurrency industry participated in an initial fundraising round for the month of April, which garnered Nomad a valuation of $225 million.