Nomad crypto hack turns into $190 million mass theft

It's not a great day for the Nomad cryptocurrency project, nor for its high-profile investors.

Nomad is a cross-chain bridge, meaning it allows users to transfer cryptocurrency tokens from one blockchain to another. So, if you want to move some ETH, USDC or WBTC from the Ethereum blockchain to the Moonbeam blockchain, Nomad makes it as easy as a couple of clicks.

Behind the scenes, the bridge "locks" your money on one side and spews out the same amount in so called "wrapped" tokens on the other side. Over time, if a bridge is popular, it can have a lot of funds (think hundreds of millions) locked in its smart contracts, and if someone finds a security hole in those smart contracts, some or all of those funds can be stolen. An additional problem with crypto bridges, as once pointed out by Ethereum co-founder Vitalik Buterin, is that they're by design vulnerable to attacks on two sides.

In case of Nomad, as pointed out by several experts on Twitter, it appears that a bug in its smart contract allowed anyone to construct a cryptocurrency transaction in such a way to send one amount of crypto on one side, but receive a larger amount on the other side. Yes, you could literally send 0.1 BTC on one side and get 100 BTC on the other side.

This is where things get interesting. Typically, when a security hole like this gets unearthed, a competent hacker or a small group will drain all of the funds within minutes. But this time, after someone successfully stole some money from the Nomad bridge, others joined in and took some money for themselves.

One reason why this was possible was that the security hole was so blatant that it didn't require a lot of expertise to replicate. As security researchers @samczsun pointed out, "all you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it," and that's exactly what people did. Think of it as the crypto equivalent of mass looting, with one person breaking a store window and hundreds joining in to steal what they can.

The word is not final on the total amount that was stolen, but it appears that all of Nomad's funds were drained, and estimates go up to $190 million. A bit of silver lining is that, in case of open-to-all, high-profile hacks like this, white hat hackers will often drain some of the funds in order to keep them safe and return them later, but it's hard to assess how much of that was happening in this particular case.

Tweet may have been deleted (opens in a new tab)

Nomad, which ironically calls itself "security-first cross-chain protocol," and claims that its mechanism requires "one honest actor to keep the entire system safe," said on Twitter that it's looking into the hack. The company told CoinDesk it has notified law enforcement, and that its goal is to "identify the accounts involved and to trace and recover the funds." Users should not used the Nomad bridge at least until the issue is resolved.

Tweet may have been deleted (opens in a new tab)

Moonbeam Network went into "maintenance mode" following the hack, meaning that regular users were not able to execute transactions on the network. The team brought back the network after concluding that the security incident was not connected to the Moonbeam codebase.

The Nomad hack isn't the only or even the largest cryptocurrency hack in history; in March 2022, more than half a billion dollars was stolen from Ronin, and in June 2022, $100 million were stolen from Harmony.

Nomad is notable for being a very popular bridge on the Moonbeam and Evmos networks, and for receiving a $22.4 million seed round just days ago, with investors being high-profile companies including Coinbase, OpenSea, and Crypto.com.