In a new attack exposing flaws in the decentralised finance sector, hackers stole nearly $200 million in bitcoin from Nomad, a programme that allows users to shift tokens from one blockchain to another.
Late on Monday, Nomad acknowledged the vulnerability in a tweet.
“We are aware of the incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”
It’s unclear exactly how the attack was planned or whether Nomad intends to compensate users who lost tokens in the hack. When CNBC called the startup, which bills itself as a “secure cross-chain messaging” service, no one was available to comment right away.
Security specialists for blockchains called the hack a “free-for-all.” Anyone who understood how the exploit operated might take advantage of the weakness and use Nomad as a type of automatic cash dispenser, dispensing tokens whenever a button was pressed.
It all began with a code upgrade for Nomad. Every time customers chose to start a transfer, one portion of the code was marked as genuine, allowing fraudsters to withdraw more money than was initially put into the platform. Once other attackers saw what was happening, they sent forth legions of bots to launch imitation strikes.
“Without prior programming experience, any user could simply copy the original attackers’ transaction call data and substitute the address with theirs to exploit the protocol,” remarked Analog, a cryptocurrency business, founder and chief architect Victor Young.
“Unlike previous attacks, the Nomad hack became a free-for-all where multiple users started to drain the network by simply replaying the original attackers’ transaction call data.”
The vulnerability was dubbed “one of the most chaotic hacks that Web3 has ever seen” by Sam Sun, research partner at cryptocurrency investment firm Paradigm. Web3 is a fictitious future version of the internet based on blockchain technology.
Nomad is what’s referred to as a “bridge,” a device that enables users to trade tokens and data between several crypto networks. When there is a lot of activity going on at once, a blockchain like Ethereum may charge consumers a lot in processing costs, therefore they are employed as an alternative.
Bridges have been a popular target for hackers looking to defraud investors out of millions of dollars due to instances of weaknesses and bad construction. According to a research by the cryptocurrency compliance company Elliptic, more than $1 billion in cryptocurrency assets have been stolen using bridge attacks so far in 2022.
A $600 million cryptocurrency robbery took place in April via a blockchain bridge named Ronin, which U.S. officials have now linked to the North Korean government. A few months later, a similar attack on Harmony, another bridge, resulted in the loss of $100 million.
Nomad was targeted due to a fault in its coding, same like Ronin and Harmony, however there were a few changes. With the use of those attacks, hackers were able to obtain the private keys required to take over the network and begin transferring tokens. It was considerably easier in Nomad’s situation. Users were able to fake transactions and steal millions of dollars’ worth of cryptocurrency because to a routine update to the bridge.
