Nomad, a bridge protocol for transferring crypto tokens across different blockchains, has suffered a cybersecurity incident, which saw hackers made off with almost all the funds in the wallet. According to estimates, the total value of cryptocurrency stolen in the attack has totaled close to $200 million.
The affected assets include wrapped versions of Bitcoin, Ethereum and several stablecoins like USDT and USDC, all of which were being used cross-chain between different blockchains, including Ethereum, Avalanche and Cardano.
The funds were drained over hours and in small batches by various accounts. According to blockchain security firm PeckShield, more that 41 IP addresses were identified involved in the theft.
Nomad has acknowledged the attack and said that an investigation into the incident is ongoing. Its not entirely clear how the attack was executed, or whether the company intends to reimburse users.
According to a security researcher who goes online as samczsun, a recent update to one of Nomad’s smart contracts made it easy for users to spoof transactions.
“... you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it,” samczsun explained.
The attack makes Nomad the latest bridge to suffer a theft this year. In March, cyber actors hacked the Ronin network used for the Axie Infinity blockchain-based game and stole more than $620 million in cryptocurrency. A month later, in April, the US authorities accused the North Korea-linked advanced persistent groups (APT) known as Lazarus Group and APT38 of the theft.