September 30, 2022


The Nomad token bridge hack on August 3 was the fourth largest crypto hack in history that saw nearly $200 million worth of crypto assets drained from the platform. However, more than the hack, the methodology behind it garnered widespread attention.

The exploit took place due to a smart contract vulnerability that saw hundreds of users besides the hacker also get involved, removing what they could by simply copying the transaction data used by the original hacker and changing the wallet address to their own. The event was later seen as a decentralized robbery by many due to the involvement of regular members of the community.

The Nomad team later revealed to Cointelegraph that some of the people receiving funds were acting in good faith to protect the crypto from getting into the wrong hands.

In the wake of the hack, cryptocurrency analysis team BestBrokers found that the first exploit took place on August 1st, which drained 400 Bitcoin (BTC) in four separate transactions. The hackers later diverted all 22,880 Ether (ETH), then moved on to more than $107 million worth of stablecoins and finally started diverting the altcoins supported by the project.

The incident has seen WBTC, Wrapped Ether (WETH), USD Coin (USDC), Frax (FRAX), Covalent Query Token (CQT), Hummingbird Governance Token (HBOT), IAGON (IAG), Dai (DAI), GeroWallet (GERO ), Card Starter (CARDS), Saddle DAO (SDL) and Charli3 (C3) tokens taken from the bridge.

Related: Constant hacking of Solana-based wallet with millions being drained

Some altcoins that were stolen from the platform suffered a decline of up to 94%. Data collected by the analytics firm showed that the following altcoins suffered the biggest collapse after the hack:

The exploited smart contract vulnerability was highlighted in a security audit report conducted by Quantstamp in the first week of June. The Nomad team even responded to the vulnerability by claiming that it was “virtually impossible to find the empty leaf preview”.

Auditors believed that the Nomad team had misunderstood the issue at the time, and within two months, the same vulnerability was responsible for nearly $200 million in losses.

Cointelegraph has reached out to Nomad with questions about the discovery and will update the story accordingly.