Hackers have drained nearly $200 million in cryptocurrency from the blockchain platform Nomad. For context, Nomad is a cryptocurrency bridge that allows users to swap cryptos between two or more blockchains. This comes as further bad news for Decentralised Finance (DeFi) platforms which facilitate the borrowing and lending of crypto assets.
The hack has been acknowledged by the Nomad project’s official Twitter handle. The company confirmed the attack and said that the team was “working around the clock to address the situation” and had also notified law enforcement. Here, we explain how the hackers drained one of the biggest blockchain platforms Nomad.
To understand the severity of the hack, it is important to have some knowledge of blockchain bridges. Bridges in the real-world connect two physical locations. Similarly, in the blockchain ecosystem, a bridge facilitates communication between two blockchains to facilitate the transfer of crypto assets.
For instance, when you plan a trip from India to the USA, you have INR but need USD to spend. To exchange your INR for USD you use a currency exchange, for a small fee. Using blockchain bridges you can exchange crypto on another blockchain. Let’s say you hold some Ethereum on the Ethereum blockchain and you wish to transfer your crypto to the Arbitrum chain. This is only possible through bridges. It should be noted that blockchain bridges charge a small transaction fee for the same.
The attack was pretty simple and straightforward. It all started when hackers made an upgrade to Nomad’s code. Notably, DeFi platforms are open protocols, meaning that anyone can obtain the source code. This is one of the biggest reasons for DeFi platforms getting hacked. But, it is not easy to make changes to the source code. Every change has to be approved, which is done automatically on the blockchain.
According to Samczsun, a researcher at the crypto and Web3 investment firm Paradigm, the exploit was possible because of a bug in the project’s smart contract which automatically approved the changes made by the hacker, and allowed authorisation of withdrawal of crypto assets. “This is why the hack was so chaotic,” samczsun wrote. The researcher believes that an army of attackers cottoned on to what was going on, deployed bots to carry out copycat attacks and withdraw over $200 million in crypto assets.
Nomad in a Twitter post has requested hackers to return the funds. “If you are a white hat hacker / ethical security researcher who took tokens with the intention of returning them, we now have a process for you to do so.”
The company says that it is actively working with a leading intelligence firm TRM Labs, and law enforcement to trace fund flows and identify recipient wallets to coordinate the return of funds. “As the investigation continues, all involved are prepared to take necessary action in the coming days, so please keep in mind that timeliness of funds return is important,” the company said in a Twitter post.
This is not the first time blockchain bridges have been a target of cybercriminals. In April 2022, a blockchain bridge called Ronin was exploited in a $600 million crypto heist. Months later Harmony, another bridge, was drained of $100 million in a similar attack.
Meanwhile, more than $1 billion in crypto assets has been stolen through bridge exploits so far in 2022, as per crypto compliance firm Elliptic. This is due to instances of poor design that have made bridges a prime target for hackers.