Technology · August 5, 2022

Crypto startup Nomad offers 10% bounty after $190M hack

Over $2 billion has been stolen from cross-chain bridges so far this year, according to crypto analytics firm Chainalysis

Jakub Porzycki | Nurphoto via Getty Images

Crypto firm Nomad said it was offering hackers a bounty of up to 10% to retrieve user funds after losing nearly $200 million in a devastating security exploit.

Nomad asked the thieves to return all funds in his crypto wallet. In a statement late Thursday, the company said it has recovered more than $20 million from the shipment so far.

“The bounty is for those who are now reporting and for those who have already returned funds,” Nomad said.

Nomad said it will not take legal action against hackers who return 90% of stolen assets because it will consider those individuals “white hat” hackers. White hats are like the “ethical hackers” in the cybersecurity world. They work with organizations to make them aware of issues in their software.

It comes after a vulnerability in Nomad’s code allowed hackers to loot around $190 million worth of tokens. Users could enter any value into the system and then withdraw the funds even if there were not enough funds available on the deposit.

The nature of the bug meant users didn’t need any programming skills to exploit it. When others saw what was happening, they rushed in and made the same attack.

Nomad said it is working with blockchain analytics firm TRM Labs and law enforcement to track down the stolen funds and identify the perpetrators behind the attack. It also works with Anchorage Digital, a licensed US bank focused on safekeeping cryptocurrencies to store all returned funds.

The weakest link

Nomad is a so-called crypto “bridge”, a tool that connects different blockchain networks. Bridges are an easy way for users to transfer tokens from one blockchain to another – for example, from Ethereum to Solana.

What happens is that users deposit some tokens and the bridge then generates a corresponding amount in “wrapped” form at the other end. Wrapped tokens represent a claim to the original that users can trade on platforms other than the one on which they were built.

Given the sheer volume of assets locked in bridges — plus bugs that make them vulnerable to attack — they’re notoriously an attractive target for hackers.

“Currently, these bridges have accumulated a lot of money,” Adrian Hetman, chief technical officer at crypto security firm Immunefi, told CNBC.

“If there’s a lot of money in certain places, hackers tend to find vulnerabilities there and steal that money.”

According to blockchain analytics firm Elliptic, the Nomad attack was the eighth biggest crypto hack of all time. More than 40 hackers were involved, one of whom stole nearly $42 million, Elliptic said.

The exploit brings the total amount stolen from cross-chain bridges this year to over $2 billion, according to crypto security firm Chainalysis. Out of 13 separate hacks, the largest was a $615 million attack on Ronin, a network linked to controversial crypto game Axie Infinity.

In a separate hack on Tuesday, around $5.2 million worth of digital coins were stolen from nearly 8,000 wallets connected to the Solana blockchain.