Cryptocurrency hacks are all too common, but they’ve rarely been quite so anarchic as the latest example. As The Verge notes, Nomad has confirmed that its cryptocurrency bridge (a service that lets you swap tokens between blockchains) was the victim of an August 1st “incident” where a slew of hackers stole nearly $200 million in funds. As Paradigm researcher Samczsun explained, the intruders took advantage of a misconfiguration that let any reasonably knowledgeable user authorize their own withdrawals. The result was a “chaotic” hack where people could swap their crypto address into a known-good transaction to steal digital money.
In an update, Nomad said it’s “working around the clock” to resolve the problem with help from law enforcement and blockchain intelligence firms. It hopes to both pinpoint involved accounts and recover funds. A16z’s security team suggested that well-intentioned white hat hackers would return crypto they took “preemptively,” but there’s no word on identifying thieves.
Bridges like these are major targets for hackers thanks to both their high asset volume and the potential for exploits in their sophisticated code. An attacker swiped roughly $625 million from the Ronin blockchain underpinning Axie Infinity in March, and an exploit in the Wormhole bridge led to a $325 million hack in February. While the Nomad breach isn’t quite as financially damaging, it illustrates just how vulnerable bridges can be.