Nomad, a cryptocurrency service, lost almost $200 million in a large attack taking place over several hours from Monday until Tuesday morning. Nomad project’s official Twitter account confirmed the hack and revealed that the company has reported the incident to law enforcement.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
Cryptocurrency service
Nomad is a cryptocurrency bridge, a service that allows users to swap tokens between blockchains. This service provides a solution to the interoperability challenge between the many types of cryptocurrencies. It also allows its users to bypass the high processing fees imposed by blockchains like Ethereum.
However, the complex technology used by the service is prone to attacks. According to the crypto compliance firm Elliptic, more than $1 billion in crypto assets has been stolen this year alone. This attack on Nomad is another example of the weakness of the decentralized finance space.
Vulnerability
The attack began with a new upgrade in Nomad’s code. The hackers figured out a weakness in one part of the code, allowing them to withdraw more assets than the amount they deposited. Other attackers followed suit, going so far as employing bot armies.
According to Victor Young, crypto startup Analog’s founder and chief architect, any user without previous programming experience was able to copy the original transaction call data and change the address to exploit the weakness. As a result, the attack on Nomad became a “free-for-all”. It is the most severe attack so far this year.
His statement was echoed by Sam Sun, a research partner at Paradigm, a crypto-focused investment firm. In his Twitter account, Sun described the attack as “one of the most chaotic” attacks seen so far in the Web3 environment.
Latest attack in a series
Blockchain bridge services are susceptible to attacks by cybercriminals, thanks to the enormous value of assets, poor designs, and lack of oversight. In addition, Elliptic attributed the attacks to services preferring fast development to solid security.
In June, Harmony lost $100 million in an attack. Previously, Ronin Network, another blockchain bridge, lost more than $600 million in an attack. According to U.S. officials, the North Korean state was behind the attack. Moreover, in February, a hacker noticed an error in the Wormhole bridge platform’s code, which was uploaded to GitHub. As a result, the company lost $325 million.
Professor Ronghui Gu, CEO and co-founder of the blockchain security auditing firm CertiK, said that the most urgent problem facing the Web3 era was how to protect cross-chain bridges from massive attacks like this one. It is imperative for these bridges to have iron-clad security.
Nomad’s response
Through its official Twitter account, Nomad announced that it has created a funds recovery process. It is working with white hat hackers and ethical researchers for the recovery. It has also partnered with the nationally regulated custodian bank Anchorage Digital.
Update: We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 2, 2022
1/2
While the identities of the attackers are still unknown, Nomad is working with law enforcement and TRM Labs, a leading chain analysis and intelligence firm. The startup mentioned that all parties involved are prepared to take action soon.