Coinbase-backed Nomad bridge just suffered a $190m exploit

According to the tracking platform DefiLlama, hackers removed $190.7m from the cross-chain protocol, with only $651.54 being left in the wallet.

Nomad is a cross-chain bridge that allows for token swaps between Avalanche, Ethereum, Evmos, Milkomeda C1, and Moonbeam. The hacking incident started at 9:32 pm UTC when a malicious attacker managed to withdraw 100 Wrapped Bitcoin (WBTC) worth about $2.3m.

In the following hours, exploiters took from the bridge as much as $190 million worth of crypto in various tokens, including WBTC, USDC, DAI, Wrapped Ether (WETH), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), GeroWallet (GERO), Card Starter (CARDS), Saddle DAO (SDL), and Charli3 (C3).

Hackers drained funds in an odd way, repeatedly executing transactions of nearly equal value. As reported by Cointelegraph, an amount of exactly 202,440.725413 USDC was withdrawn over 200 times. It’s unclear whether the exploit was a work of an individual hacker or an organized group, although some suspect that transactions were deliberately constructed to give an impression of multiple attackers involved.

Samczsun, an anonymous whitehat hacker and Paradigm researcher, referred to the attack as “one of the most chaotic hacks that Web3 has ever seen.” As he explained in his Twitter thread, the fatal bug within the Replica contract resulted in auto-processing every message without proving it first. For this reason, everyone could find a working transaction, replace the address and re-broadcast it, all without any knowledge of Solidity or Merkle Trees.

Luckily for Nomad developers, a certain part of the funds will most likely be recovered, as some withdrawals were performed by whitehat hackers with an intention to return tokens later. So far, at least three such individuals have reached out to the protocol’s team, leaving a note via Notifi Bot on Twitter.

Following the attack, Moonbeam, a Polkadot smart contract platform, went into maintenance mode “to investigate security incident.” During the investigation, the functionality of the protocol, such as regular transactions and smart contract interactions, was disabled. Moonbeam's native token GLMR was among those targeted in the Nomad exploit, losing 25% of its value.

By the time of writing, the chain’s functionality has been restored, and all operations continue as usual.

Nomad devs confirmed that they were aware of the exploit and were working on addressing the situation. The team also announced that it has notified law enforcement and “retained leading firms for blockchain intelligence and forensics” to identify attackers and recover stolen funds.

In the following tweet, the Nomad team also thanked all whitehats involved in the incident and asked them to hold rescued funds until further instructions are provided.

For the Nomad protocol, the exploit is a terribly unfortunate event, as the bridge has just completed its seed funding round in April. The platform secured $22 million in seed capital, bringing its total valuation to $225m. Its backers included such major companies of the crypto industry as Coinbase Ventures, OpenSea, Crypto.com, Polygon, and Wintermute.

“At Nomad, our goal is to make it safer to communicate across blockchains. We believe that secure cross-chain messaging is the key to uniting DeFi ecosystems and unlocking the true power and potential of block space, wherever it may be,” the team announced on Friday, but it looks like the tweet didn’t age gracefully.