Hackers exposed yet another weakness in the DeFi space as they drained almost $200 million in cryptocurrency from a token bridge called Nomad.
Nomad commented on the exploit in a Tweet late Monday and said that they are aware of the incident and are currently investigating. Nomad has also not yet commented on whether it plans to reimburse lost tokens to users.
Blockchain security experts believed that the exploit was a chaotic free-for-all whereby anyone with knowledge of the vulnerability and how it worked, could simply withdraw any amount of tokens from Nomad like a broken ATM.
It is believed to have started with a recent upgrade to Nomad’s code where users were allowed to initiate a transfer and withdraw more assets than were deposited into the platform. Once other attackers realized what was happening, they quickly deployed a swarm of bots to execute copycat attacks.
“Without prior programming experience, any user could simply copy the original attackers’ transaction call data and substitute the address with theirs to exploit the protocol,” said Victor Young, founder and chief architect of crypto startup Analog.
“Unlike previous attacks, the Nomad hack became a free-for-all where multiple users started to drain the network by simply replaying the original attackers’ transaction call data.”
According to Coindesk, hackers sent back $9 million to Nomad a day after the exploit which equates to around 4.75% of the total loss.
So far there have been a cumulative $1 billion in crypto assets that have been stolen through bridge exploits in 2022, according to a report from crypto compliance firm Elliptic.