Home » Nomad cross-chain bridge suffers massive hack worth almost $200m

Nomad cross-chain bridge suffers massive hack worth almost $200m

by Tim

New hack in the world of cross-chain bridges: Nomad has suffered the exploitation of a flaw in its smart contracts, resulting in the draining of $190 million, or almost all of its total locked value (TVL). However, some people used the flaw to withdraw as much of the funds as possible to protect them, saying they were ready to send them back as soon as possible.

Catastrophe for Nomad cross-chain bridge

A massive breach was used overnight, resulting in the draining of more than $190 million from the Nomad cross-chain bridge, which exchanges tokens between Ethereum (ETH), Avalanche (AVAX), Moonbeam (GLMR), Milkomeda C1 and Evmos.

Nearly all of the funds have been emptied from the bridge in a meteoric fashion, as demonstrated by this chart from the data available on DefiLlama:

Total value locked (TVL) on the Nomad bridge

Total value locked (TVL) on the Nomad bridge


According to on-chain data, the first fraudulent transaction would have allowed a bridge user to withdraw 100 wBTC, which was worth $2.3 million at the time. The flaw gradually became known, allowing anyone to withdraw the same amount of money multiple times due to a flaw in the smart contracts.

Luckily, some people were able to get away with withdrawing as much money as possible before declaring that they had acted as a whitehat to protect the funds in question, and that they would return them as soon as a reliable destination address was provided, as evidenced by this transaction.

Background to the exploit

According to a post mortem by @samczsun, a researcher at Paradigm, the flaw was a direct result of an update to the Nomad bridge smart contracts.

When a token is transferred via a bridge, it is locked to a smart contract before being redistributed in wrapped form.

In this case, the flaw in the smart contract allowed users to withdraw funds that did not belong to them. In a very simplified way, a code error in the smart contract allowed all transactions to be validated automatically and repeated in a loop.

This is why this flaw could be exploited very widely and above all by almost anyone, as very little manipulation was required.

This event is another reminder of the particular exposure of cross-chain protocols, which are often involved in large-scale hacks, the repercussions of which spread mechanically to other actors. Here, for example, the Evmos blockchain team indicated that this hack had significantly impacted its TVL.

At over $190 million, this breach is the 5th largest hack in cryptocurrency history, just behind Bitmart’s $196 million hack in April 2021.

Related Posts

Leave a Comment