Nomad Token Bridge Suffers $190M Security Exploit

  • Hundreds of addresses were involved in the $190 million exploit, and Nomad believes that at least some of them were white hat hackers.
  • Researcher for Paradigm has speculated that the exploit was caused by a recent update to one of Nomad’s smart contracts.
lock

Shutterstock

Cross-chain token bridge Nomad has fallen victim to a security exploit, which resulted with attackers draining almost all of the funds from its platform, the team behind the project revealed on 2 August.

Data from decentralized finance (DeFi) tracker DeFi Llama shows that almost all funds were drained from Nomad — the platform had around $190 million prior to the incident — with the token bridge having only $11,000 total value locked (TVL) at the time of writing. The team behind the project said it is currently investigating the incident, adding it believed that not only malicious actors were involved, but white hat hackers as well.

“We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds. Nomad is grateful to its many white hat friends who reacted quickly to withdraw and safeguard the funds.”

The Nomad incident is a bit special as it appears it did not involve a single actor or a group, with hundreds of addresses having received tokens from the bridge. The first suspicious transaction was made at 9:32pm UTC, when someone removed 100 WBTC from the bridge. Shortly after, hundreds of transactions systematically drained all digital assets from the platform.

Some in the crypto community have speculated that the exploit was the result of a recent update to one of Nomad’s smart contracts, which made it easy for users to withdraw money from the bridge that did not belong to them. A researcher for crypto investment firm Paradigm noted on Twitter:

“This is why the hack was so chaotic – you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it”

The exploit puts Nomad — which marketed itself as more secure than other platforms — in an awkward position, as it had recently closed a $22 million seed round. The funding round saw participation from major crypto entities, such as Coinbase Ventures, OpenSea, Polygon, Crypto.com, and others.

Discussion
Related Coverage
KuCoin Twitter Account Hacked, Exchange to Reimburse Losses
  • The Twitter account of the crypto exchange was compromised for roughly 45 minutes on Monday, resulting in 22 transactions connected to the hack.
  • KuCoin has calculated that the total asset losses were 22,638 USDT, and noted that it will fully reimburse users affected in the incident.
April 24, 2023, 8:59 AM
kucoin

Shutterstock

Exploiter Returns 90% of “Recoverable Funds” to Euler Finance
  • The remaining $31 million worth of crypto assets were returned late on Monday, marking a successful end to Euler Finance’s recovery efforts.
  • The total value of assets returned is a little over $177 million, which is 90% of the “recoverable funds” after adjusting for the 10% bounty previously offered.
Hacker Steals $9M from SafeMoon
  • SafeMoon said that only its SFM:BNB liquidity pool (LP) was affected, and that it had located the suspected exploit, and patched the vulnerability.
  • The bug was allegedly introduced with the latest SafeMoon upgrade, and allowed the attacker to burn the majority of SFM in the pool, artificially inflating its price.