Hackers drain nearly $200 million from crypto startup in ‘free-for-all’ attack

Finance

Billions of dollars of value have been wiped off the cryptocurrency market in recent months. Companies in the industry are feeling the pain. Lending and trading firms are facing a liquidity crisis and many firms have announced layoffs.
Yu Chun Christopher Wong | S3studio | Getty Images

Hackers drained almost $200 million in cryptocurrency from Nomad, a tool that lets users swap tokens from one blockchain to another, in yet another attack highlighting weaknesses in the decentralized finance space.

Nomad acknowledged the exploit in a tweet late Monday.

“We are aware of the incident involving the Nomad token bridge,” the startup said. “We are currently investigating and will provide updates when we have them.”

It’s not entirely clear how the attack was orchestrated, or if Nomad plans to reimburse users who lost tokens in the attack. The company, which markets itself as a “secure cross-chain messaging” service, wasn’t immediately available for comment when contacted by CNBC.

Blockchain security experts described the exploit as a “free-for-all.” Anyone with knowledge of the exploit and how it worked could seize on the flaw and withdraw an amount of tokens from Nomad — sort of like a cash machine spewing out money at the tap of a button.

It started with an upgrade to Nomad’s code. One part of the code was marked as valid whenever users decided to initiate a transfer, which allowed thieves to withdraw more assets than were deposited into the platform. Once other attackers cottoned on to what was going on, they deployed armies of bots to carry out copycat attacks.

“Without prior programming experience, any user could simply copy the original attackers’ transaction call data and substitute the address with theirs to exploit the protocol,” said Victor Young, founder and chief architect of crypto startup Analog.

“Unlike previous attacks, the Nomad hack became a free-for-all where multiple users started to drain the network by simply replaying the original attackers’ transaction call data.”

Sam Sun, research partner at crypto-focused investment firm Paradigm, described the exploit as “one of the most chaotic hacks that Web3 has ever seen” — Web3 being a hypothetical future iteration of the internet built around blockchain technology.

Nomad is what’s known as a “bridge,” a tool that lets users exchange tokens and information between different crypto networks. They’re used as an alternative to making transactions directly on a blockchain like Ethereum, which can charge users high processing fees when there’s lots of activity happening at once.

Instances of vulnerabilities and poor design have made bridges a prime target for hackers seeking to swindle investors out of millions. More than $1 billion in crypto assets has been stolen through bridge exploits so far in 2022, according to a report from crypto compliance firm Elliptic.

In April, a blockchain bridge called Ronin was exploited in a $600 million crypto heist, which U.S. officials have since attributed to the North Korean state. Some months later, Harmony, another bridge, was drained of $100 million in a similar attack.

Like Ronin and Harmony, Nomad was targeted through a flaw in its code — but there were a few differences. With those attacks, hackers were able to retrieve the private keys needed to gain control over the network and start moving out tokens. In Nomad’s case, it was much simpler than that. A routine update to the bridge enabled users to forge transactions and make off with millions’ worth of crypto.

Products You May Like

Articles You May Like

Coinbase shares soar 10% in boost from meme traders, BlackRock crypto deal
Berkshire Hathaway reports operating earnings surge, but posts big investment loss amid market rout
These 30 companies will help employees pay off their student loans
Novavax cuts 2022 revenue guidance in half, stock tanks in after-hours trading
Stocks making the biggest moves premarket: Expedia, Block, Lyft and more

Leave a Reply

Your email address will not be published.