Nomad, a start-up specializing in cryptocurrencies, was the victim of a huge hack which led to the evaporation of 200 million dollars. The company reportedly rolled out a bad update that opened the door to any hacker who was aware of the vulnerability. She is now trying to recover her funds and reimburse her clients.
In the world of cryptocurrencies, some companies are positioning themselves as “bridges”, allowing investors to carry out transactions outside of blockchains and, de facto, escape the various taxes that the latter impose. Because of their growing popularity, these bridges are prime targets for hackers. According to a report by Elliptic, more than one billion euros in cryptocurrencies have already been stolen from these bridges in 2022. We can cite in particular the historic hack of the Ronin bridge last April, which led to the evaporation of 560 millions of euros.
Today, a new victim is added to the list. This is the start-up Nomad, a bridge among many others. This Tuesday, August 2, the company, which presents itself quite ironically as a “cross-chain secure messaging”, confirmed to have been the target of hackers. The invoice is particularly salty: in total, it is 200 million dollars, or approximately 196 million euros, which disappeared in nature. “We are currently investigating and will provide updates as soon as we have them,” the firm said.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓?) (@nomadxyz_) August 1, 2022
Nomad loses 196 million euros due to a bad update
It is still difficult to say with certainty how this attack was perpetuated, but suspicions turn for the moment to a dubious update deployed by Nomad a few hours before. Indeed, part of the new code considered valid all transactions made by users. Concretely, this means that anyone with knowledge of the flaw could withdraw cryptocurrencies at will, like from an ATM.
Of course, it didn’t take long for the pirates to deploy an army of bots to grab some of the loot. “Without prior programming experience, any user could simply copy the transaction call data from the original attackers and replace the address with their own to exploit the protocol”explains Victor Young, founder of Analog.
On the same subject — Bitcoin: a crypto Youtuber scams his subscribers by stealing 4 million euros
For Sam Sun, researcher at Paradigm, it is “one of the most chaotic hacks Web3 has ever seen.” For the time being, it is not yet known whether Nomad plans to reimburse its customers. It seems that the company has called on white hats to help it recover some of its missing funds.