The cross-chain token bridge Nomad was exploited Monday, with attackers draining the protocol of virtually all of its funds. The total value of cryptocurrency lost to the attack totaled near $200 million.
Nomad, like other cross-chain bridges, allows users to send and receive tokens between different blockchains. Monday’s attack is the latest in a string of highly publicized incidents which have drawn the security of cross-chain bridges into question.
The Nomad team acknowledged the exploit in a statement to CoinDesk. "An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained," the team said. "We have notified law enforcement and are working around the clock to address the situation and provide timely updates. Our goal is to identify the accounts involved and to trace and recover the funds."
Bridges typically work by locking up tokens in a smart contract on one chain and then reissuing those tokens in “wrapped” form on another chain.
If the smart contract where tokens are initially deposited gets sabotaged – as happened in Nomad’s case – the wrapped tokens no longer have any backing, which can render them worthless.
On Twitter, @samczsun, a researcher at crypto investment firm Paradigm, explained that a recent update to one of Nomad’s smart contracts made it easy for users to spoof transactions. This meant users were able to withdraw money from the Nomad bridge that didn’t actually belong to them.
Unlike some bridge attacks, where a single culprit is behind the entire exploit, the Nomad attack was a free for all.
“... [Y]ou didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it,” @samczsun explained.
Nomad: A 'secure' alternative?
Bridge attacks have become more frequent in recent months as crypto users have demonstrated an increased appetite for swapping assets between different blockchains.
While cross-chain bridges have made it possible for upstart blockchains to proliferate, bridge failures can be devastating for smaller chains that rely on them for a large amount of their total liquidity.
Evmos, one of the newer blockchains serviced by Nomad, tweeted that it would be “brainstorming community solutions” to the Nomad attack given that it “significantly impacts initial Evmos [total value locked].”
The largest decentralized finance (DeFi) attack in history, April’s Ronin bridge attack, saw over $600 million worth of crypto siphoned out of the bridge that powers the blockchain-based game Axie Infinity.
Just a few months before that, over $300 million was drained from the Wormhole bridge, wreaking havoc across the Solana blockchain community and the wider decentralized finance ecosystem.
Nomad sold investors on the vision that it would be fundamentally more secure than alternative platforms.
Just last week, it revealed that crypto heavyweights Coinbase Ventures and OpenSea were among those that participated in an April seed round that valued the company at $225 million.
This is a developing story. Check back for updates.
UPDATE (Aug. 2, 04:37 UTC): Adds statement from Nomad.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.