Nomad, a protocol that lets users transfer digital assets across different blockchains, has been drained out completely over a series of transactions in what appears to be a security exploit.
The breach has allowed hackers to move out Nomad’s entire 190M TVL, with only $4.5k remaining, according to DefiLlama data.
The first suspicious transfer, followed by a long list of transactions, occurred at 9:32pm UTC allowing someone to move 100 WBTC (Wrapped Bitcoin) worth approx $2.3 million away from the bridge.
The Nomad team posted a confirmation on Twitter at 11:35pm UTC, insisting that they were investigating the issue.
We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.
— Nomad (⤭⛓?) (@nomadxyz_) August 1, 2022
According to Twitter user samczsun, who tried to explain the exploit in a detailed thread, hackers were able to spoof messages and impose as Nomad to redirect funds to their wallets.
1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes ? pic.twitter.com/Y7Q3fZ7ezm
— samczsun (@samczsun) August 1, 2022
Wrapped Ether (WETH), WBTC, USDC, Frax (FRAX), Charli3 (C3), IAGON (IAG), Hummingbird Governance Token (HBOT), and Dai (DAI) were some of the tokens locked in the bridge that have been stolen.
Unlike other attacks, which have become quite common for bridges, this one consisted of hundreds of wallets receiving small amounts of transfers which could be due to multiple parties partaking in the hack after it was found.
Nomad completed a seed funding round as recently as April, which saw participation from Coinbase Ventures and Opensea, valuing it at $225 million.