Coinbase-backed Nomad Bridge Drained of $190 Million in Security Exploit

Key Insights:

• A security exploit has led to the Nomad Bridge loosing virtually all of its funds. 
• The Nomad team is currently working with law enforcement to address the situation. 
• Earlier this year, Nomad raised $22.4 million in its seed round, which valued the project at $225 million. 

A heist targeting U.S. crypto firm Nomad has resulted in a security exploit that allowed hackers to systematically drain a large portion of the blockchain bridge’s funds.

Through a long series of transactions, $190.7 million worth of users’ cryptocurrencies was stolen, including Wrapped Bitcoin (WBTC) and the stablecoin USDC. However, some blockchain researchers have put the figure at over $150 million.

Token Bridge Exploit

According to decentralised finance (DeFi) tracking platform DefiLlama, $190.7 million in crypto has been removed from the Nomad bridge, with only $651.54 left remaining in the wallet.

The Nomad Token Bridge is a cross-chain messaging protocol that aims to enable interoperability across blockchains by allowing users to move tokens back and forth between different chains. Other use cases for Nomad include developers building cross-chain applications, asset issuers deploying tokens and decentralised autonomous organisations (DAO) executing cross-chain governance.

The San Francisco-based project witnessed its first suspicious transaction at 9:32pm UTC when an unknown individual removed 100 Wrapped Bitcoin tokens from the bridge, worth around $2.3 million.

The incident has seen WBTC, USD Coin (USDC), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), GeroWallet (GERO), Card Starter (CARDS), Saddle DAO (SDL) and Charli3 (C3) tokens taken from the bridge.

Ongoing Investigation

The Nomad team has confirmed that it is currently investigating the exploit and working with law enforcement “around the clock” to address the situation and provide timely updates. The project added that its goal is to “identify the accounts involved and to trace and recover” the stolen crypto.

They also highlighted how there are impersonators posing as Nomad and providing fraudulent addresses to collect funds even though the project has not yet provided instructions to return bridge funds.

This security exploit is somewhat unique in the sense that each token was removed in nearly equivalent denominations. For example, transactions with exactly 202,440.725413 USDC were executed over 200 times.

Part of the reason that the hacker was able to drain the protocol of virtually all its funds is because Nomad’s smart contracts made it relatively easy for users to spoof transactions, in the sense that they were able to withdraw money that didn’t actually belong to them.

More specifically, bridges usually work by locking up tokens in a smart contract on one chain and then reissuing those tokens in a wrapped form on another chain. However, if the smart contract is compromised, some or all of those funds can be stolen.

In April this year, Nomad raised $22.4 million in its seed round involving major players such as Coinbase Ventures, OpenSea and Crypto.com Capital, which landed the company a $225 million valuation.