Share this article
Thieves rushed to drain the bridge once news of the exploit surfaced. Unlike most other crypto hacks, stealing funds did not require in-depth programming knowledge.
$190M Lost in Nomad Attack
Nomad has become the target of crypto’s latest nine-figure attack.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓🏛) (@nomadxyz_) August 1, 2022
The cross-chain project’s token bridge suffered a major exploit late Monday, allowing a group of thieves to make off with around $190 million in stolen digital assets.
News of the attack first surfaced on social media after security researchers noticed a high volume of assets leaving the bridge. According to Paradigm researcher samczsun, a flaw in Nomad’s Replica contract effectively allowed users to make one small deposit to the bridge and withdraw a much larger amount of funds they never actually owned. While most DeFi exploits are typically carried out by skilled programmers with an in-depth knowledge of Solidity, taking advantage of this one only required a relatively simple copy and paste exercise. This meant that opportunists flocked to steal funds from the bridge once word got around, resulting in what samczsun described as a “frenzied free-for-all.”
Though the total sum lost has not yet been confirmed, it’s estimated that about $190 million worth of wrapped Bitcoin (WBTC), wrapped Ethereum (WETH), USD Coin (USDC) and other assets was stolen. That makes the attack one of the biggest to hit the DeFi space to date. According to Defi Llama data, the project now holds just $12,750 in total value locked.
The Nomad team took to Twitter early Tuesday to say that it was “investigating [the incident] and will provide updates” as more information becomes clear, but it has not yet published a postmortem report.
Nomad is one of many cross-chain projects aiming to enable interoperability across blockchains. Its core product is the Nomad token bridge, which lets users move their assets freely across Polkadot’s Moonbeam parachain, Ethereum, Evmos, and Milkomeda. The Nomad team raised $22 million in a Polychain-led seed round in April. The raise put the company’s valuation at $225 million.
Editor’s note: This story is developing and will be updated as further details emerge.
Disclosure: At the time of writing, the author of this piece owned ETH and several other cryptocurrencies.