Nomad Lost Nearly $190m TVL in “Decentralized Robbery”

Cross-chain token bridge Nomad was breached on Monday, resulting in losing nearly all the total value locked (TVL) of the cryptocurrency in the protocol for nearly $200 million.

In a statement published on Twitter, the trading platform confirmed the hacking incident:

“We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.”

The protocol also warned that “impersonators posing as Nomad and providing fraudulent addresses to collect funds,” adding, “We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel.”

As a sort of cross-chain bridges, the protocol allows users to swap various tokens, such as Ethereum (ETH), Avalanche (AVAX), Evmos (EVMOS), Milkomeda C1, and Moonbeam (GLMR).

Citing the data from DeFi Llama, a Defi tracking data platform, the total value locked (TVL) of Nomad reached up to $190 million before the exploit, according to the online media outlet Cryptonews. The platform showed the TVL of Nomad remains less than $11,000 at the time of writing.

Source: DefiLlama

Another cybersecurity platform BlockSec estimates the total loss in this incident is estimated around $150 million worth of Tether (USDT). The monitoring platform suggested that some loopholes might exist in Nomad’s verification procedure among functions: “Since an uninitialized storage slot is always considered as zero, the attacker can actually pass any message that has never shown before to bypass the verification procedure.”

Anonymous Terra researcher FatMan described the incident as “the first decentralized robbery,” adding that “all one had to do was copy the first hacker’s transaction and change the address, then hit send through Etherscan.”

Online media CoinDesk explained that bridges typically function by locking up tokens in a smart contract on one chain and then reissuing those tokens in “wrapped” form on another chain.

In addition, If the smart contract where tokens are initially deposited gets sabotaged in terms of Nomad’s situation, the wrapped tokens might no longer have any protection, resulting in losing their values.

Last month, Nomad announced it has secured a strategic investment of $22.4 million in April from various investors, including OpenSea, CoinBase Ventures, Crypto.com and Polygon. 

Ironically, the latest security loophole might make the company feel embarrassed to keep its words and pursue ambitions as Nomad showed its determination by setting its primary goal to “create a safer crypto ecosystem where blockchains can communicate seamlessly and securely with each other,” according to its press release.

The company estimated that more than $1.5 billion was stolen this year by hackers exposing vulnerabilities in cross-chain bridges, indicating that the industry is in need of security-first solutions that maximize the safety of users, funds, and messages.

Image source: Nomad, DefiLlama