Hackers stole $190 million from crypto exchange Nomad in a ‘free-for-all’ attack

Crypto hackers strike again. In the latest heist to hit the crypto space, U.S.-based crypto exchange Nomad has been hit by a $190 million theft, according to a report by blockchain researchers. The revelation comes just a week after Nomad raised $22 million from investors.

In a tweet, Nomad said it was “aware of the incident” and was currently investigating, without giving further details or the value of the theft.

“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them,” Nomad said.

https://twitter.com/nomadxyz_/status/1554246853348036608

It’s not entirely clear how the crypto theft was orchestrated. But crypto analytics firm PeckShield told Reuters that $190 million worth of users’ cryptocurrencies were stolen, including ether and the stablecoin USDC. Other blockchain researchers put the figure at over $150 million.

However, in a follow-up tweet early this morning, Nomad said it was able to recover some of the funds without specifying the amount. “Was able to recover some of the funds. Do let us know what we should do to return them,” the company added.

https://twitter.com/mathletamine/status/1554260508408152065

In a statement to crypto news outlet CoinDesk, Nomad said it has notified law enforcement and is working with blockchain forensics firms to try to identify the accounts involved and get back the funds.

Nomad becomes the fourth victim of crypto theft. Last August, hackers stole over $90 million worth of crypto coins from the Japanese cryptocurrency exchange Liquid. The crypto startup also said that some of its digital currency wallets had been “compromised,” and that hackers were transferring the assets to four different wallets.

Update (10:06 AM EST):

We now have more details about the attack. According to blockchain security experts, it started with an upgrade to Nomad’s code. “One part of the code was marked as valid whenever users decided to initiate a transfer, which allowed thieves to withdraw more assets than were deposited into the platform. Once other attackers cottoned on to what was going on, they deployed armies of bots to carry out copycat attacks,” CNBC reported.

Security experts described the exploit as a “free-for-all,” Anyone with knowledge of the exploit and how it worked could seize on the flaw and withdraw any amount of tokens from Nomad — kind of like a cash machine spewing out money at the tap of a button.

Victor Young, founder and chief architect of crypto startup Analog told CNBC, “Without prior programming experience, any user could simply copy the original attackers’ transaction call data and substitute the address with theirs to exploit the protocol.”

Young added, “Unlike previous attacks, the Nomad hack became a free-for-all where multiple users started to drain the network by simply replaying the original attackers’ transaction call data.”

Sam Sun, a research partner at crypto-focused investment firm Paradigm, also described the exploit as “one of the most chaotic hacks that Web3 has ever seen.”