Users can move tokens from one network to another with the help of blockchain bridges.
Hackers stole almost $200 million worth of cryptocurrency from Nomad, a tool that lets users swap tokens from one blockchain to another. This is yet another example of how the decentralised finance space has weaknesses.
Nomad said that the hack happened in a tweet late on Monday.
“We know about what happened with the Nomad token bridge,” the new company said.
“We are looking into it right now and will let you know when we have more information.”
It’s not clear how the attack was planned or if Nomad will pay back users who lost tokens because of it.
Experts on blockchain security called the bug a “free-for-all.” Anyone who knew about the exploit and how it worked could use it to get tokens from Nomad, kind of like a cash machine that spits out money when a button is pressed.
It started with a change to the code for Nomad. When a user started a transfer, one part of the code was marked as valid. This made it possible for thieves to take out more money than was put into the platform. Once other attackers figured out what was going on, they sent out armies of bots to launch attacks that were just like the first ones.
“Any user could exploit the protocol without knowing how to code if they just copied the original attackers’ transaction call data and changed the address to their own,” said Victor Young, founder and chief architect of crypto startup Analog.
“Unlike previous attacks, the Nomad hack turned into a free-for-all, with multiple users draining the network by simply replaying the transaction call data from the original attackers.”
Sam Sun, a research partner at the crypto-focused investment firm Paradigm, called the exploit “one of the most chaotic hacks that Web3 has ever seen.” Web3 is a hypothetical future version of the internet built around blockchain technology.
Nomad is a “bridge,” which is a piece of software that lets users move tokens and information between different crypto networks. They are used as an alternative to making transactions directly on a blockchain like Ethereum, which can charge users high processing fees when a lot of things are happening at once.
Because of security flaws and bad design, hackers who want to scam investors out of millions of dollars often go after bridges. A report from crypto compliance firm Elliptic says that more than $1 billion in crypto assets have been stolen through bridge exploits so far in 2022.
In April, a $600 million crypto heist used a blockchain bridge called Ronin. Since then, U.S. officials have said that the North Korean government is to blame. A few months later, a similar attack took $100 million from another bridge called Harmony.
Like Ronin and Harmony, Nomad was attacked because of a flaw in its code, but there were a few differences. With these attacks, hackers were able to get the private keys they needed to take control of the network and start sending tokens out. It was much easier for Nomad than that.
A routine update to the bridge made it possible for people to fake transactions and steal millions of dollars’ worth of cryptocurrency.