Nomad, a cryptocurrency-focused startup, was the victim of a massive hack that wiped out $200 million. The company reportedly rolled out a bad update that opened the door for any hackers who knew about the vulnerability. She is now trying to recover her funds and repay her clients.
In the world of cryptocurrencies, some companies position themselves as “bridges” that allow investors to transact outside of the blockchain, in effect evading the various taxes levied by the latter. Due to their increasing popularity, these bridges are prime targets for hackers. According to a report by Elliptic, more than 1 billion euros of cryptocurrency has already been stolen from these bridges by 2022. We can cite in particular the historic hack of the Ronin bridge in April last year, which resulted in the evaporation of 560 million euros.
Today, a new victim was added to the list. This is the startup Nomad, a bridge between so many other companies.This Tuesday, August 2, the ironic company “Cross-chain secure messaging”, confirmed to be the target of hackers. The invoice was particularly salty: a total of 200 million US dollars, or about 196 million euros, disappeared naturally. “We are currently investigating and will provide an update as soon as we receive it,” the company said.
We are aware of events involving the Nomad Token Bridge. We are currently investigating and will provide updates when we have them.
— Nomads (⤭⛓🏛) (@nomadxyz_) August 1, 2022
Nomad loses 196 million euros due to update errors
It’s still difficult to determine how the attack persisted, but suspicions have temporarily turned to a suspicious update deployed by Nomad a few hours ago. In fact, some of the new code considers all transactions made by users to be valid. Specifically, this means that anyone with knowledge of the vulnerability can withdraw cryptocurrency at will, such as from an ATM.
Of course, the pirates were quick to deploy an army of robots to grab some loot. “Without programming experience, any user can exploit the protocol by simply copying the transaction call data from the original attacker and replacing the address with their own”explains Analog’s founder Victor Young.
On the same topic – Bitcoin: A cryptocurrency Youtuber tricked his subscribers by stealing €4 million
For Paradigm researcher Sam Sun, “One of the most confusing hacks Web3 has ever seen.” It is unclear whether Nomad plans to reimburse its customers. The company appears to have called on white hats to help it recover some of the lost funds.