As evidenced by its namesake, apparently there wasn’t much security stopping a hoard of wandering strangers from breaking into the Nomad DeFi project’s token bridge, allowing hundreds of unknown hackers and some users to walk away with over $190 million crypto, leaving behind a bare pittance in the project’s wallet.
Late on Monday, users started noticing tokens being extracted from Nomad’s accounts “in million-dollar increments.” Crypto security company CertiK confirmed in a Tuesday analysis that the bridge protocol, which allows users to send tokens between separate blockchains, had been breached thanks to a routine upgrade that allowed bad actors to skip verification messages. CoinTelegraph reported that the first transaction, likely the initial hacker, managed to remove about $2.3 million in crypto from the bridge.
Apparently, this breach further allowed other users to exploit the bridge, turning it essentially into a Black Friday-esque free-for-all. CertiK’s analysis further said the vulnerability was in the token bridge’s initialization process, introduced in the flawed upgrade, allowing users to copy and paste the original hackers transaction number and replace it with a personal one. Researchers said in just four hours, other hackers, bots, and even community members drained the protocol in a “frenzied mob.”
The crypto developer who goes by Foobar on Twitter wrote that this attack was “the first decentralized crowd-looting of a 9-figure bridge in history.” There are hundreds of addresses that show they’ve received tokens from the bridge during the exploit.
Some users have actually gone back to the protocol, hanging their heads in shame and offering to return the stolen funds. Some claimed it was “an accident,” while others said they were trying to protect their friend’s assets, according to screenshots posted by Foobar. DefiLlama shows that the current value of the blockchain is sitting at just a little under $16,000.