The Nomad cryptocurrency project and its prominent investors are having a bad day.
Nomad functions as a cross-chain bridge, enabling users to move bitcoin tokens between blockchains. Therefore, Nomad makes it simple as a few clicks to transfer some ETH, USDC, or WBTC from the Ethereum blockchain to the Moonbeam blockchain.
Invisibly, the bridge “locks” your money on one side and dispenses the same amount of tokens that are referred to as “wrapped” on the other. If a bridge becomes popular over time, it may have a lot of money tied up in its smart contracts (imagine hundreds of millions of dollars), and if someone finds a security flaw in those smart contracts, some or all of that money may be stolen. As former Ethereum co-founder Vitalik Buterin has noted, another issue with crypto bridges is that they are by nature vulnerable to assaults from both sides.
As multiple experts on Twitter have noted, it appears that a glitch in Nomad’s smart contract allowed anyone to set up a cryptocurrency transaction so that they sent a certain amount of bitcoin on one side and received a different amount on the other. Yes, you really could transfer 0.1 Bitcoin on one side and receive 100 Bitcoin on the other.
Things start to become intriguing at this point. Usually, when a security flaw like this is discovered, a skilled hacker or a small group will quickly syphon out all the money. But this time, others joined in and took some money for themselves after someone successfully stole it from the Nomad bridge.
This was made possible, in part, because the security flaw was so obvious that it didn’t take much skill to recreate it. It only required “finding a transaction that worked, finding/replacing the other person’s address with yours, and then re-broadcasting it,” as security researchers @samczsun noted, and that’s exactly what people did. Imagine it as the crypto-version of a large-scale robbery, where one person breaks a store window and hundreds of others pitch in to steal whatever they can.
Estimates of the entire amount taken range up to $190 million, but it appears that all of Nomad’s funds were syphoned off. Although it’s difficult to determine how much of that was happening in this specific situation, white hat hackers frequently drain some of the funds in open-to-all, high-profile attacks like this in order to keep them safe and return them later.
Nomad, which ironically calls itself “security-first cross-chain protocol,” announced on Twitter that it is investigating into the issue and that its mechanism requires “one honest person to keep the entire system safe.” According to the company, its mission is to “identify the accounts involved and to trace and reclaim the monies” and that it has alerted police enforcement. Users shouldn’t utilise the Nomad bridge until the problem is fixed, at the very least.