Frenzied mob' steals more than $156 million from crypto platform Nomad

Crypto platform Nomad was robbed of more than $156 million in cryptocurrency on Monday evening after a vulnerability in a recent update was discovered and replicated by dozens of hackers.

Nomad – a company that facilitates cryptocurrency trades between different blockchains like Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS) and more – performed an update on their platform in recent days that introduced the vulnerability.

It allowed anyone to withdraw more funds than they were depositing. Several cryptocurrency security firms and experts traced about 80% of the stolen funds to 41 accounts. But others noted that there was a free-for-all once news of the exploit spread. 

Blockchain security company Elliptic told The Record it identified over 40 exploiters and more than 200 malicious contracts deployed to automate the exploit. By midday Tuesday, Elliptic said just $15,000 in cryptoassets remained. Elliptic and security company PeckShield noted that several accounts associated with other cryptocurrency platform attacks took part in the frenzy.

Six white hat hackers managed to get about $8.2 million, and in an on-chain message to them Nomad pledged to give 20% of returned funds back to those who came forward.

In an effort to siphon funds being returned to the platform, some scammers attempted to pose as company representatives, leading the company to put out a statement on Twitter saying the were “aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds.”

“We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel,” the company said. 

Messages popping up in public Discord servers of random people grabbing $3K-$20K from the Nomad bridge - all one had to do was copy the first hacker's transaction and change the address, then hit send through Etherscan. In true crypto fashion - the first decentralized robbery. https://t.co/jWV9AamBer

— FatMan (@FatManTerra) August 2, 2022

Nomad did not respond to requests for comment but released several statements on Twitter.

On Tuesday morning, the company said it had notified law enforcement and hired security firms to help with the investigation. The attack was also having potential downstream effects on other crypto platforms.

“Our goal is to identify the accounts involved and to trace and recover the funds. Thank you to our many white hat friends who acted proactively and are safeguarding funds. Please continue to hold them until we provide further instructions on this thread,” the company added. 

Update: We are working around the clock to address the situation and have notified law enforcement and retained leading firms for blockchain intelligence and forensics. Our goal is to identify the accounts involved and to trace and recover the funds.

1/2

— Nomad () (@nomadxyz_) August 2, 2022

On Reddit, users noted that Nomad was warned about this exact issue in an audit done by security company Quantstamp on June 9.

Quantstamp outlined precisely the scenario that took place on Monday and wrote in the audit that the Nomad team "has misunderstood the issue."

Nomad becomes the latest in a string of high-profile cyberattacks on blockchain bridges – which allow people to transfer tokens, assets, smart contract instructions and data between blockchains. 

In addition to the more than $600 million stolen during the Ronin Bridge hack in March, a hacker abused a vulnerability in the Wormhole cryptocurrency platform in February to steal an estimated $322 million worth of Ether currency. In June, blockchain bridge Harmony was hacked and had $100 million stolen.

A week before the Wormhole hack, a similar attack took place against another blockchain bridge when a hacker stole $80 million from Qubit Finance. Some experts said the Qubit attack closely resembles how Nomad was exploited.

Bitmart lost $196 million in early December and one month before cybercriminals stole about $120 million from DeFi platform Badger while AscendEX had about $77 million stolen. 

Blockchain gaming company Vulcan Forged was robbed of around $140 million in December while $34 million was taken from Cream Finance in September and about $200 million was stolen from the PancakeBunny platform in May. 

But Ronghui Gu, CEO of cryptocurrency security company CertiK, told The Record that the Nomad hack was special because once the initial hacker finished their attack, other users could replicate the exploit by copying the original hacker's transaction calldata and replacing the original address with a personal one. 

“In four hours, other hackers, bots, and community members replicated the initial attack, draining it in a frenzied mob attack in what Twitter user @0xfoobar called, ‘...the first decentralized crowd-looting of a 9-figure bridge in history,’” he said. 

“This attack will surely be remembered alongside other 9-figure attacks against cross-chain bridges from this year such as the Ronin Bridge hack and the Wormhole hack. The sums lost show the cross-chain bridges to be both a highly vulnerable, but also a highly sought-after technology due to the amount of value held on them.”

If Nomad is unable to recover some amount of funds, the attack would be one of the largest cryptocurrency hacks recorded in recent years. 

Elliptic said it ranks the attack on Nomad eighth in the list of top 10 crypto hacks of all time based on value lost. Nomad is the fourth blockchain bridge to join the list, and the platforms now account for $1.6 billion of total funds lost in the top 10 thefts.

The attack comes at an inopportune time for Nomad, which on Thursday announced a $22 million funding round in April that included Coinbase Ventures, Crypto.com Capital, OpenSea and Polygon.

The round pushed Nomad to a valuation of $225 million and Chief Technical Officer James Prestwich said on Thursday that the company's "optimistic security model helps reduce the trust assumptions required for cross-chain communication, while still being extensible enough to be broadly applicable.”