Nomad token bridge drained $190 million in security exploit

The Nomad token bridge appears to have experienced a security exploit that allowed hackers to systematically drain funds from the bridge ...


The Nomad token bridge appears to have experienced a security exploit that allowed hackers to systematically drain funds from the bridge over a long series of transactions.

Almost all of the $190.7 million worth of crypto has been removed from the bridge, with only $651.54 left in the wallet, according to the decentralized finance (DeFi) tracking platform. Challenge Llama.

The first suspect transactionwhich may have been the source of the ongoing exploit, happened at 21:32 UTC when someone managed to withdraw 100 Wrapped Bitcoin (WBTC) worth around 2.3 million tokens from the bridge.

Shortly after the community raised the alarm about the potential exploit, the Nomad team confirmed at 23:35 UTC that they were aware of “the incident involving the Nomad token bridge”, adding that they “currently investigating the incident”. The team did not immediately respond to a request for comment.

The incident saw WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (AID), GeroWallet (GERO), Card Starter (CARDS), Saddle DAO (SDL) and Charli3 (C3) taken from the deck.

The exploiters removed the tokens in an unusual way, as each token was removed in nearly equivalent denominations. For example, trades with exactly 202,440.725413 USDC have been executed over 200 times.

Nomad is a token bridge that allows token transfers between Avalanche (AVAX), ethereum (ETH), Evmos (EVMOS), Milkomeda C1 and Moonbeam (GLMR).

Unlike other exploits that have become a bit banal in 2022, this event so far has hundreds of addresses receiving tokens directly from the bridge.

Meanwhile, the Polkadot network’s Moonbeam smart contract platform, whose native GLMR token was one of the targets of the Nomad exploit, went into effect. maintenance mode at 23:18 UTC “to investigate a security incident”. As a result, Moonbeam features such as regular user transactions and smart contract interactions will be disabled.

The attack is ill-timed for Bridge, which and its seed round investors from a fundraiser in April. On July 29, the project revealed in a Tweeter that Coinbase Ventures, OpenSea and five other big names in the crypto industry participated in a fundraising in April that earned Nomad a valuation of $225 million.