Hackers drained almost $200 million in cryptocurrency from Nomad, a tool that lets users swap tokens from one blockchain to another, in yet another attack highlighting weaknesses in the decentralized finance space.
Nomad acknowledged the exploit in a tweet late Monday.
“We are aware of the incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”
It’s not entirely clear how the attack was orchestrated, or if Nomad plans to reimburse users who lost tokens in the attack. The company, which markets itself as a “secure cross-chain messaging” service, wasn’t immediately available for comment when contacted by CNBC.
Blockchain security experts described the exploit as a “free-for-all.” Anyone with knowledge of the exploit and how it worked could seize on the flaw and withdraw an amount of tokens from Nomad — sort of like a cash machine spewing out money at the tap of a button.
It started with an upgrade to Nomad’s code. One part of the code was marked as valid whenever users decided to initiate a transfer, which allowed thieves to withdraw more assets than were deposited into the platform. Once other attackers cottoned on to what was going on, they deployed armies of bots to carry out copycat attacks.
“Without prior programming experience, any user could simply copy the original attackers’ transaction call data and substitute the address with theirs to exploit the protocol,” said Victor Young, founder and chief architect of crypto startup Analog.
“Unlike previous attacks, the Nomad hack became a free-for-all where multiple users started to drain the network by simply replaying the original attackers’ transaction call data.”