Nomad Token Bridge Drained Nearly $200M in Security Exploit

Nomad Bridge, a cross-chain decentralized finance (DeFi) application that allows users to send and receive tokens across various protocols, has been exploited for nearly $200 million worth of assets.

Nomad Bridge Exploit

In a Twitter post on Monday, samczsun, a researcher at crypto investment firm Paradigm, revealed that the bridge was exploited for almost all of its assets in an attack described as “one of the most chaotic hacks in the DeFi history.” 

The funds were stolen in batches of wrapped Bitcoin (WBTC), Ethereum (ETH), and stablecoins, draining the protocol of almost all its assets.

The company acknowledged the exploits and explained that investigations are currently ongoing to address the situation. 

“An investigation is ongoing, and leading firms for blockchain intelligence and forensics have been retained,” the company said in a statement. “Nomad’s goal is to identify the accounts involved and to trace and recover the funds,” the firm said. 

Hacker Sabotaged the Bridge

Typically, bridges work by locking up assets in one smart contract and then releasing the tokens as wrapped cryptocurrency to other smart chains. 

According to the Paradigm researcher, the Nomad bridge replica contract was sabotaged after the protocol’s team initiated the trusted root to be 0x00 during a routine upgrade which resulted in auto-proving every message initiated on the chain. 

He further explained that after the bridge was compromised, the attackers exploited the vulnerability, draining the “bridge in a frenzied free-for-all,” that allowed other explorers to exploit the protocol by just replacing the existing wallet address with their own. 

Blockchain security firm PeckShield Inc noted that the company found 41 addresses that stole $152 million (80% of the total hack), including ~7 MEV Bots ($7.1million), 6 White Hats ($8.2million), and an address belonging to Rari Capital exploiter ($3.4 million). 

The security company explained that 10% of the addresses that participated in the hack had Ethereum Name Service (ENS) names, while 3,780 ETH had already been moved to Tornado Cash.

More DeFi Attacks

Nomad is one of the latest bridges to suffer an exploit after the Ronin Network, which lost $625 million in investors’ funds to hackers earlier this year. 

The exploit came a few days after Nomad received $22 million in a seed round from Coinbase Ventures, CryptoCom Capital, and Hack VC, among others. 

Last month, another DeFi application called Harmony Protocol lost $100 million after attackers exploited a vulnerability from the Horizon Bridge to steal 85,837 ETHs from the protocol.