Nomad crypto hack turns into $190 million mass theft

2025-04-27 16:02:53admin

It's not a great day for the Nomad cryptocurrency project, nor for its high-profile investors.

Nomad is a cross-chain bridge, meaning it allows users to transfer cryptocurrency tokens from one blockchain to another. So, if you want to move some ETH, USDC or WBTC from the Ethereum blockchain to the Moonbeam blockchain, Nomad makes it as easy as a couple of clicks.

Behind the scenes, the bridge "locks" your money on one side and spews out the same amount in so called "wrapped" tokens on the other side. Over time, if a bridge is popular, it can have a lot of funds (think hundreds of millions) locked in its smart contracts, and if someone finds a security hole in those smart contracts, some or all of those funds can be stolen. An additional problem with crypto bridges, as once pointed out by Ethereum co-founder Vitalik Buterin, is that they're by design vulnerable to attacks on two sides.

In case of Nomad, as pointed out by several experts on Twitter, it appears that a bug in its smart contract allowed anyone to construct a cryptocurrency transaction in such a way to send one amount of crypto on one side, but receive a larger amount on the other side. Yes, you could literally send 0.1 BTC on one side and get 100 BTC on the other side.

This is where things get interesting. Typically, when a security hole like this gets unearthed, a competent hacker or a small group will drain all of the funds within minutes. But this time, after someone successfully stole some money from the Nomad bridge, others joined in and took some money for themselves.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

One reason why this was possible was that the security hole was so blatant that it didn't require a lot of expertise to replicate. As security researchers @samczsun pointed out, "all you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it," and that's exactly what people did. Think of it as the crypto equivalent of mass looting, with one person breaking a store window and hundreds joining in to steal what they can.

The word is not final on the total amount that was stolen, but it appears that all of Nomad's funds were drained, and estimates go up to $190 million. A bit of silver lining is that, in case of open-to-all, high-profile hacks like this, white hat hackers will often drain some of the funds in order to keep them safe and return them later, but it's hard to assess how much of that was happening in this particular case.

Tweet may have been deleted

Nomad, which ironically calls itself "security-first cross-chain protocol," and claims that its mechanism requires "one honest actor to keep the entire system safe," said on Twitter that it's looking into the hack. The company told CoinDesk it has notified law enforcement, and that its goal is to "identify the accounts involved and to trace and recover the funds." Users should not used the Nomad bridge at least until the issue is resolved.