Cryptocurrency service Nomad is offering a “bounty” to anyone who returns funds stolen from the company in a nearly $200 million theft on Monday.
Nomad said it will pay up to 10% of the digital funds taken by hackers and vowed not to pursue legal charges against parties that return at least 90% of the money.
“The most important thing in crypto is community, and our No. 1 goal is restoring bridged user funds,” Nomad CEO Pranay Mohan said in a statement. “To support that effort, we will treat any party who returns 90% or more of exploited funds as a white hats. We will not prosecute white hats.”
Update: Nomad Bridge Hack Bounty
(see below for details)
— Nomad (⤭⛓🏛) (@nomadxyz_) August 4, 2022
The company released details on how to return the stolen cryptocurrency in a post on Medium. “Nomad is working closely with law enforcement and will advocate for no criminal charges when white hats return funds,” Nomad said.
The attack on Nomad started Monday and lasted into Tuesday morning, with hackers siphoning off the digital funds in a matter of hours. The company said it has since recovered $20 million.
Nomad operates a so-called blockchain bridge, which allows people to move tokens from one blockchain to another, solving the challenge of interoperability between different types of cryptocurrencies. But these technologically complex services have been prone to attacks, with hackers exploiting security vulnerabilities to steal more than $1 billion in assets so far in 2022, according to forensics firm Elliptic.
One security researcher on Twitter described the Nomad attack as “chaotic” and a “free-for-all,” with people swarming to drain the accounts after realizing that a security flaw meant that if they could find a valid transaction request, they could replace the other person’s address with their own and effectively redirect assets to their own accounts.
12/ tl;dr a routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all
— samczsun (@samczsun) August 2, 2022
Nomad blamed “impersonators posing as Nomad and providing fraudulent addresses to collect funds.”
The theft follows the hack of blockchain bridge Harmony in June, which lost about $100 million in the attack. These bridges are seen as especially vulnerable to hacks partly because of their relative newness and inevitable bugs and are therefore frequently targeted by cybercriminals. Recent hacks include the $320 million wormhole hack in February and the more than $600 million Ronin Network hack in March.
Bridges are also susceptible to theft because they hold a lot of cryptocurrencies, making them targets for hackers, and due to their lack of decentralization and oversight, according to Elliptic. Some bridges don’t require many signatures to approve a transaction, and some services have sacrificed security as they develop quickly, the group added.