Hackers stole nearly $200 million from crypto startup Nomad

Billions of dollars have been wiped from the cryptocurrency market in recent months. Companies in the industry feel pain. Lending and trading firms are facing a liquidity crisis and many firms have announced layoffs.

Yu Chun Christopher Wong | С3studio | Getty Images

Hackers siphoned nearly $200 million in crypto from Nomad, a tool that allows users to exchange tokens from one blockchain to another, in yet another attack that exposes weaknesses in the decentralized finance space.

Nomad acknowledged the exploit in a tweet late Monday night.

“We are aware of an incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”

It is not entirely clear how the attack was staged and whether Nomad plans to refund users who lost tokens as a result of the attack. The company, which bills itself as a “secure internetwork messaging” service, was not immediately available for comment when contacted by CNBC.

Blockchain security experts described the exploit as “free for everyone.” Anyone who knew about the exploit and how it worked could exploit the vulnerability and withdraw some tokens from Nomad, a kind of ATM that ejects money at the push of a button.

It all started with a code update for Nomad. One piece of code was flagged as valid whenever users chose to initiate a transfer, allowing thieves to withdraw more assets than were deposited on the platform. Once other attackers knew what was going on, they deployed armies of bots to carry out copycat attacks.

“Without previous programming experience, any user can simply copy the original transaction call data of the attackers and replace the address with their own in order to use the protocol,” said Victor Young, founder and chief architect of Analog, a crypto startup.

“Unlike previous attacks, the Nomad hack became free for everyone when a few users began draining the network by simply replaying data from the attackers’ original transaction calls.”

Sam Sun, research partner at cryptocurrency investment firm Paradigm, described exploit as “one of the most chaotic hacks Web3 has ever seen” – Web3 is a hypothetical future iteration of the Internet built on blockchain technology.

Nomad is what is known as a “bridge”, a tool that allows users to exchange tokens and information between different crypto networks. They are used as an alternative to making transactions directly on the blockchain, for example Ethereumwhich can charge users high processing fees when there is a lot of activity going on at the same time.

Vulnerabilities and poor design have made bridges a prime target for hackers seeking to swindle investors out of millions. According to a report by crypto compliance firm Elliptic, more than $1 billion in crypto assets were stolen through bridge exploits in 2022.

In April, a blockchain bridge called Ronin was used in $600 million cryptocurrency heist, which US officials have since attributed to the North Korean state. A few months later, $100 million was stolen from another Harmony Bridge in a similar attack.

Like Ronin and Harmony, Nomad was targeted by a bug in the code, but there were a few differences. Through these attacks, the hackers were able to obtain the private keys needed to take control of the network and begin moving tokens. In the case of Nomad, everything was much simpler. A simple bridge upgrade allowed users to fake transactions and steal millions of cryptocurrencies.