Coinbase-backed Nomad Bridge Drained of $190 Million in Security Exploit

Token Bridge Exploit

According to decentralised finance (DeFi) tracking platform DefiLlama, $190.7 million in crypto has been removed from the Nomad bridge, with only $651.54 left remaining in the wallet.

The Nomad Token Bridge is a cross-chain messaging protocol that aims to enable interoperability across blockchains by allowing users to move tokens back and forth between different chains. Other use cases for Nomad include developers building cross-chain applications, asset issuers deploying tokens and decentralised autonomous organisations (DAO) executing cross-chain governance.

The San Francisco-based project witnessed its first suspicious transaction at 9:32pm UTC when an unknown individual removed 100 Wrapped Bitcoin tokens from the bridge, worth around $2.3 million.

The incident has seen WBTC, USD Coin (USDC), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), GeroWallet (GERO), Card Starter (CARDS), Saddle DAO (SDL) and Charli3 (C3) tokens taken from the bridge.

Ongoing Investigation

The Nomad team has confirmed that it is currently investigating the exploit and working with law enforcement “around the clock” to address the situation and provide timely updates. The project added that its goal is to “identify the accounts involved and to trace and recover” the stolen crypto.

They also highlighted how there are impersonators posing as Nomad and providing fraudulent addresses to collect funds even though the project has not yet provided instructions to return bridge funds.

This security exploit is somewhat unique in the sense that each token was removed in nearly equivalent denominations. For example, transactions with exactly 202,440.725413 USDC were executed over 200 times.

Part of the reason that the hacker was able to drain the protocol of virtually all its funds is because Nomad’s smart contracts made it relatively easy for users to spoof transactions, in the sense that they were able to withdraw money that didn’t actually belong to them.

More specifically, bridges usually work by locking up tokens in a smart contract on one chain and then reissuing those tokens in a wrapped form on another chain. However, if the smart contract is compromised, some or all of those funds can be stolen.

In April this year, Nomad raised $22.4 million in its seed round involving major players such as Coinbase Ventures, OpenSea and Crypto.com Capital, which landed the company a $225 million valuation.