Here’s How $200M in Crypto Was Drained From Nomad Protocol, According to a Security Expert

Halborn Chief Information Security Officer Steven Walbroehl joined CoinDesk TV’s “First Mover” to discuss how Nomad’s bridge lost $200 million in less than 24 hours.

AccessTimeIconAug 2, 2022 at 7:44 p.m. UTC
Updated May 11, 2023 at 5:44 p.m. UTC
Layer 2

A function irregularity on cross-chain messaging protocol Nomad gave leeway for upward of $200 million to be siphoned off the platform, according to one security expert.

Steven Walbroehl, chief information security officer at blockchain security firm Halborn, told CoinDesk TV that a recent update to Nomad’s smart contracts backfired, prompting transactions on the protocol to be automatically approved.

The result, although unclear, created a domino-like effect. “Once one person found out about it, it was a crazy mad rush of people who [could] go in there and copy the transaction and say, ‘Hey, I guess I’ll pay myself too, out of the bridge,’” Walbroehl said on CoinDesk TV’s “First Mover” program.

Nomad, which primarily serves as a bridge for users to send and receive tokens among different blockchains, told users Monday evening via a tweet that it was “aware of the incident involving the Nomad token bridge.” By then, the protocol had lost $45 million.

Two hours later, the protocol told users it was “aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds.” By midnight on Monday, the protocol had lost nearly $200 million.

Walbroehl said that a user did not need to have extensive knowledge of such things as Merkle trees (the way data is handled) or the Solidity programming language to engage in the hack. In fact, “all you had to do [was] find a transaction that worked and then replace that address with your own.”

In Nomad’s case, however, all transactions were given the green light, whether or not they were legit. The protocol uses Merkle trees to validate transactions. They are primarily “used to provide blockchain data more securely and efficiently by proving a transaction is valid.”

Walbroehl said that bridges such as Nomad are likely prone to exploits because “most often this is where all the value is stored” – and thus bridges are enticing to hackers.

“You’re going to the vaults to rob the bank, rather than trying to go out and pick everybody's wallet,” he said. “Just go right for the bank.”

The second reason Walbroehl points to is complicated programming, especially when it comes to “two different protocols.”

“If you combine high value with complicated programming and lots of errors happen, that’s where hacks come from,” he said.

Walbroehl believes that the best way to prevent future hacks “is to put defense in depth – do security audits.” In addition, he said that developers should get others to look at their code, as well as testing it on their own.

For users, Walbroehl emphasizes “being aware of the bridges or the bridges that you’re investing in.”

Nomad told CoinDesk that an ongoing investigation is underway and that law enforcement officials have also been notified.

The decentralized finance (DeFi) platform – which recently raised upward of $22 million in a seed round led by big crypto players including Coinbase Ventures and OpenSea – is the latest protocol to face a heavy-handed hack. Back in April, the gaming-focused Ronin Network faced a hack of more than $600 million.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Fran Velasquez

Fran is CoinDesk's TV writer and reporter.