Cross-chain messaging protocol Nomad, which allows users to send and receive tokens between different blockchains, was drained of at least USD 150m after experiencing a security exploit that allowed bad actors to spoof messages.
The project had USD 190m in total value locked (TVL) just before the exploit began, according to DeFi tracking platform DeFi Llama. However, in a matter of hours, all the funds were drained. At the time of writing, the project currently has around USD 5,600 in TVL.
Blockchain security firm BlockSec estimated the loss to be around USD 150m. This could suggest that users themselves withdraw the remaining USD 40m from the bridge.
Etherescan transactions show that the first suspicious transaction might have occurred at 9:32 PM UTC on Monday, when a user managed to remove wrapped bitcoin (WBTC) 100 (worth around USD 2.3m) from the bridge by depositing WBTC 0.01 (around USD 230).
The Nomad team has not yet provided any further details about the hack. In their latest tweet, they warned about impersonators trying to collect funds.
“We’re aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds,” the team said. “We aren’t yet providing instructions to return bridge funds. Disregard comms from all channels other than Nomad’s official channel.”
The Nomad Bridge hack is the latest in a series of attacks targeting bridges.
As reported, in late June, a hacker exploited a vulnerability in Harmony’s Horizon Bridge, which allows token transfers between the Harmony network and Ethereum, Binance Chain (BNB), and Bitcoin (BTC), to steal USD 100m worth of different cryptoassets.
And prior to that, the Ronin Network, an Ethereum-based sidechain made for the popular play-to-earn game Axie Infinity, was exploited to the tune of USD 600m while DeFi platform Wormhole lost almost USD 325m to hackers in February.