Over $190 million was drained from cross-chain cryptocurrency bridge Nomad on Monday in what is being described as one of the most perplexing hacks in DeFi history.
What Happened: On Aug. 1, market participants observed millions of dollars being drained from the Nomad contract address.
2/ It all started when @officer_cia shared @spreekaway‘s tweet in the ETHSecurity Telegram channel. Although I had no idea what was going on at the time, just the sheer volume of assets leaving the bridge was clearly a bad sign pic.twitter.com/klHNfthVvj
— samczsun (@samczsun) August 1, 2022
See Also: Huobi Global Sees Itself As Safe-Haven ‘Not Affected’ By Crypto Winter, Turmoil
Data from DeFi Llama shows that more than $190 million worth of Ethereum ETH/USD and other tokens were drained from the Total Value Locked (TVL) in the bridge.
From $190,740,000 to $1,794 in hours
But it wasn’t a flashloan, or even carried out by a single group
After an initial attacker struck, hundreds of separate accounts figured out the trick and copypasta-ed their way into grabbing stolen funds pic.twitter.com/ef0A9djdnf
— foobar (@0xfoobar) August 2, 2022
“A perplexing aspect of this vulnerability was that all users had to do to hack bridge funds was copy the original hacker’s transaction calldata, replace the original address with a personal one, and the tx would succeed!” wrote DeFi protocol code auditor “foobar” on Twitter. “Easy as CTRL-C, CTRL-V.”
A number of users who were observed replicating the exploit and grabbing the stolen funds have publicly come forward to return the tokens. According to foobar, the vulnerable process function enabling the hack was lying in plain sight — in the Nomad audit report itself.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad () (@nomadxyz_) August 1, 2022
The Nomad team said they were aware of the token bridge being compromised and were currently investigating the exploit.
Earlier this year, Nomad raised $22 million from investors led by Polychain Capital in the name of “security-first interoperability.”
The round saw participation from high-profile investors like AT&T Inc.’s T venture capital arm.
Nomad has also attracted angel investment from Coinbase Global Inc COIN and the foundations behind the Polkadot and Avalanche blokchains.