Update: The Nomad team reached out to Cointelegraph to clear up the atmosphere surrounding their June audit report and claim that the vulnerability highlighted by Quantstamp was different from what caused the $190 million exploit. The company also confirmed that it is actively working to return funds to users.
The Nomad Bridge token hack on August 2 was the fourth largest cryptocurrency hack in history, draining nearly $200 million in crypto assets from the platform. However, more than the breakthrough, the methodology behind it has received widespread attention.
The exploit happened due to a security vulnerability in the smart contract that saw hundreds of users other than the hacker getting involved and taking as much as they could by simply copying and pasting the transaction data used by the initial hacker and changing the wallet address to theirs. The event was later regarded as a decentralized burglary by many due to the participation of ordinary community members.
Subsequently, the Nomad team revealed to Cointelegraph that some of the people who took the funds were acting benevolently to protect the cryptocurrency from falling into the wrong hands.
In the wake of the hack, crypto-analytics group BestBrokers found that the first exploit occurred on August 1, draining 400 Bitcoin (BTC) on four different transactions. The hackers later converted all 22,880 Ether (ETH) cryptocurrencies, then moved to over $107 million in stablecoins, and finally started converting the altcoins supported by the project.
The incident saw WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), and GeroWallet (GERO) , Card Starter (CARDS), Saddle DAO (SDL) and Charli3 (C3) tokens taken from the bridge.
Related: Solana-based wallet hack continues with millions drained
Some altcoins stolen from the platform suffered a drop of up to 94%. Data collected by the analysis firm showed that the following altcoins suffered the biggest crash after the hack:
The report also claimed that the exploit in smart contracts was highlighted in a security audit report conducted by Quantstamp in the first week of June.
Nomad has partnered with Anchorage Digital, a nationally regulated trustee bank, to accept and protect refundable funds. In a statement to Cointelegraph, the company said:
Nomad is asking any white-hat hacker or moral security researcher who currently holds ETH or ERC-20 tokens from a token bridge attack, please return them by sending them to the following Anchorage wallet address: 0x94A84433101A10aEda762968f6995c574D1bF154
Nomad actively works with TRM Labs, a leading chain analysis/intelligence and law enforcement firm to track stolen funds, identify recipients’ wallets, and coordinate refunds.
As per the latest update, Team Nomad has recovered nearly $16.6 million in lost funds from which the White Hat hackers have returned $11.2 million.
