Here’s How $200M in Crypto Was Drained From Nomad Protocol, According to a Security Expert

Halborn Chief Information Security Officer Steven Walbroehl joined CoinDesk TV’s “First Mover” to discuss how Nomad’s bridge lost $200 million in less than 24 hours.

AccessTimeIconAug 2, 2022 at 7:44 p.m. UTC
Updated May 11, 2023 at 5:44 p.m. UTC
AccessTimeIconAug 2, 2022 at 7:44 p.m. UTC
Updated May 11, 2023 at 5:44 p.m. UTC
Layer 2
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

A function irregularity on cross-chain messaging protocol Nomad gave leeway for upward of $200 million to be siphoned off the platform, according to one security expert.

Steven Walbroehl, chief information security officer at blockchain security firm Halborn, told CoinDesk TV that a recent update to Nomad’s smart contracts backfired, prompting transactions on the protocol to be automatically approved.

The result, although unclear, created a domino-like effect. “Once one person found out about it, it was a crazy mad rush of people who [could] go in there and copy the transaction and say, ‘Hey, I guess I’ll pay myself too, out of the bridge,’” Walbroehl said on CoinDesk TV’s “First Mover” program.

Nomad, which primarily serves as a bridge for users to send and receive tokens among different blockchains, told users Monday evening via a tweet that it was “aware of the incident involving the Nomad token bridge.” By then, the protocol had lost $45 million.

Two hours later, the protocol told users it was “aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds.” By midnight on Monday, the protocol had lost nearly $200 million.

Walbroehl said that a user did not need to have extensive knowledge of such things as Merkle trees (the way data is handled) or the Solidity programming language to engage in the hack. In fact, “all you had to do [was] find a transaction that worked and then replace that address with your own.”

In Nomad’s case, however, all transactions were given the green light, whether or not they were legit. The protocol uses Merkle trees to validate transactions. They are primarily “used to provide blockchain data more securely and efficiently by proving a transaction is valid.”

Walbroehl said that bridges such as Nomad are likely prone to exploits because “most often this is where all the value is stored” – and thus bridges are enticing to hackers.

“You’re going to the vaults to rob the bank, rather than trying to go out and pick everybody's wallet,” he said. “Just go right for the bank.”

The second reason Walbroehl points to is complicated programming, especially when it comes to “two different protocols.”

“If you combine high value with complicated programming and lots of errors happen, that’s where hacks come from,” he said.

Walbroehl believes that the best way to prevent future hacks “is to put defense in depth – do security audits.” In addition, he said that developers should get others to look at their code, as well as testing it on their own.

For users, Walbroehl emphasizes “being aware of the bridges or the bridges that you’re investing in.”

Nomad told CoinDesk that an ongoing investigation is underway and that law enforcement officials have also been notified.

The decentralized finance (DeFi) platform – which recently raised upward of $22 million in a seed round led by big crypto players including Coinbase Ventures and OpenSea – is the latest protocol to face a heavy-handed hack. Back in April, the gaming-focused Ronin Network faced a hack of more than $600 million.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.

Fran Velasquez

Fran is CoinDesk's TV writer and reporter.


Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.