Hackers strike again: Crypto bridge Nomad loses $200 million in free-for-all attack

In the latest assault on cryptocurrencies, hackers stole nearly $200 million worth of ether and stablecoins from crypto bridge Nomad, outlets reported Tuesday morning.

Over the course of the two-hour attack, Nomad’s holdings dropped from $190.7 million to just $651.54. In a tweet early Tuesday, Nomad said it had alerted law enforcement and recruited blockchain intelligence and forensics firms, and was “working around the clock” to trace and recover the funds.

The hack underscores an ever-present fear in decentralized finance, which by principle, has limited recourse when such crises strike, as authorities cannot simply snatch back the funds. According to blockchain analytics firm Chainalysis, hackers bagged $3.2 billion in 2021, and are on pace to match that number in 2022. Loot can sometimes be recovered if the perpetrator is identified and arrested, or if a bounty price is paid to restore the funds.

But complicating matters is the “chaotic” nature of Nomad’s hack: While many attacks involve a single culprit, Nomad’s was a “frenzied free-for-all,” a researcher at crypto investment firm Paradigm wrote on Twitter. The funds were siphoned into more than 41 different wallet addresses, as vultures flocked to pillage Nomad once word of the exploit began to spread.

Enabling the scrum was the fact that hacking Nomad required scant complex coding. The exploit came through a routine software upgrade, which then failed to verify the amounts involved in any given transaction, allowing users to “spoof” transactions by manually rewriting the code to withdraw more cryptocurrencies than were held in their own accounts—thus treating Nomad like an unlimited ATM machine, spewing forth free cash. Once one hacker figured this out, others needed only copy-paste the malicious code to glom onto the scheme.

However, a tweet from Nomad suggested some of the funds might be in the care of “white hat” do-gooders, i.e., hackers who withdrew the coins in order to safeguard them once the “black hat” theft was underway.

The attack was the third major hack this year of a so-called crypto “bridge,” a class of crypto services that has been particularly vulnerable. According to blockchain analytics firm Elliptic, more than $1 billion has been stolen from bridges in 2022—including $600 million in March from the Ronin bridge, which powers the popular Axie Infinity computer game. (That hack, the largest to date, has since been attributed to the state of North Korea.) Months before that, the Solana-based Wormhole bridge was robbed of $300 million.

The weaknesses of these bridges, which allow users to swap assets from one blockchain to another—and which are crucial to achieving “interoperability” in Web3, referring to a future where users can frictionlessly transfer digital assets from one metaverse to another—have loomed large on the path to a DeFi world. The attack on Nomad now heightens those worries.

Before the hack, Nomad had sold investors, including heavyweights like Coinbase Ventures and OpenSea, on a vision of a “security-first” cross-chain protocol. Days ago, it raised $22 million in seed capital.