Crypto ‘bridge’ Nomad offers 10% bounty in $190 million hack

“Nomad continues to work with its community, law enforcement, and blockchain analytics companies to ensure all funds are returned,” the company wrote.

A pair of hacks shake up an already nervous crypto industry

The theft occurred when a vulnerability in Nomad’s code allowed hackers to get away with nearly $190 million worth of tokens. More than $20 million had been recovered by Friday morning, according to Etherscan, a blockchain analytics platform.

Nomad functions as a blockchain bridge, allowing users to move assets from one blockchain to another, for example from bitcoin to ethereum. But it also leaves them vulnerable to what security experts call “both sides,” the weaknesses of either blockchain.

Blockchain analytics firm Elliptic Connect said the Nomad breach was the seventh major incident involving a crypto bridge in 2022 and the eighth-largest crypto theft of all time. Another crypto bridge, known as Ronin, suffered a $625 million theft earlier this year. In this case, hackers infiltrated the underlying blockchain powering popular video game Axie Infinity, walking away with some 174,000 ethereum.

Robinhood cuts 23% of its workforce amid crypto meltdown

“Bridges have long been known to be attractive to cyberhackers,” Elliptic Connect wrote in an unsigned blog post. “They typically hold large amounts of cash, as users wishing to convert funds on blockchains typically lock their assets into their contracts. They also operate on blockchains which are relatively less secure.

The Nomad attack was known as “free for all” because the hacker’s original code allowed anyone to copy it, opening the floodgates for anyone to join the fray and withdraw funds. Elliptic Connect said it identified more than 40 “exploiters”, including a hacker who made just under $42 million by automating the cash withdrawal process.

By effectively paying hackers, Nomad employs a strategy that technology companies have long relied on to assess and improve their networks.

Microsoft, for example, proclaims “let the hunt begin!” on its own Bug Bounty page, which offers up to $60,000 for vulnerability reports on the company’s Azure cloud platform, or $20,000 for vulnerability reports on the online gaming platform Xbox Live. Comparable valuations for Hyper-V, a code virtualization program, can reach $250,000. In 2016, the Department of Defense launched its own bug bounty program called “Hack the Pentagon”.

Senate Proposal Would Give CFTC Oversight of Bitcoin and Ethereum

Nomad is not the first crypto firm to engage directly with hackers.

Last August, a crypto platform called Poly Network was the target of a major attack in which someone stole over $600 million in tokens, according to CNBC. The thief had exploited a vulnerability in the company’s network code that allowed users to transfer funds to their own accounts.

But in an unusual twist, the hacker then opened a dialogue with Poly Network staff and eventually returned the funds, CNBC reported. According to reports, the company released a statement calling the hacker “Mr. White Hat,” offering a $500,000 bounty and an invitation to become the platform’s “chief security advisor.”

Cryptocurrencies in general have suffered steep declines in value throughout 2022 as bitcoin, ethereum, and other digital currencies have sold off along with the broader stock market. On Friday morning, bitcoin stood at around $23,000, up around 14% over the past month. That compares to over $66,000 in November 2021.