Last week, crypto experienced its first decentralized hack. Naturally, the hack was on a cross-chain bridge. This time it was Nomad, a bridge linking the Ethereum, Avalanche, Evmos, and Moonbeam blockchains, which had almost $200M before the hack. In the end, over $190M was stolen. The stolen tokens included large caps like ETH, WBTC, USDC, and FRAX, as well as small cap tokens like Covalent (CQT), Charli3 (C3), and Hummingbot (HBOT).
How the Nomad Hack Worked
What makes the Nomad hack unique is its attackers weren't coordinated. On August 1, the first hacker stole 100 WBTC from the Nomad bridge. Other observers noticed they could copy-paste the hacker's code, inserting their own address for the hacker's. Hundreds of copycat hackers followed, draining Nomad of over $190M in crypto.
The hack wasn't complicated, and an auditor told the Nomad team an attack was imminent. Nomad misconfigured its smart contract so that anyone could self-authorize withdrawals. Once one hacker succeeded, anyone paying attention could hack Nomad too.
During the hack, Nomad tweeted that it was under attack: "We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them." At the time, Nomad still had $100M left–including $70M in USDC that it could've asked Circle to freeze. Within hours, that USDC was stolen.
Aftermath of the Nomad Hack
Like Harmony, Ronin, and other hacked bridges, Nomad is working with law enforcement to find and punish the hackers. This is unlikely to do much. Fortunately, some Nomad hackers are "white hats," or ethical hackers, who intend to return what they stole.
Initially, Nomad just asked the hackers to give its crypto back, and many white hats returned what they stole. A few days later, Nomad announced that anyone who returned 90% of what they stole would be considered a "white hat," and Nomad wouldn't pursue them legally. As of August 6, over $35M has been returned to Nomad by white hats.
It's unclear what will be done with Nomad's remaining funds, but there obviously won't be enough to reimburse all of the investors who lost their crypto.
As Nomad struggles to recover, so too do the smaller blockchains with tokens stolen in the Nomad hack. Covalent, a search API project on Ethereum, and Moonbeam, an EVM-compatible DeFi protocol on Polkadot, have both suffered. Covalent's CQT token fell to $.05 from $.12 during the hack, and it's only recovered to $.09 since–a 25% loss of value. Moonbeam's GLMR token has regained most of its value lost in the hack, but Moonbeam's DeFi TVL has fallen to $63M from $186M as the result of the Nomad hack–a 66% decrease and a strong signal that investors don't trust Moonbeam.