Hacked crypto startup Nomad offers a 10% bounty for return of funds after $190 million attack

Over $2 billion has been stolen from cross-chain bridges so far this year, according to crypto analysis firm Chainalysis
Jakub Porzycki Nurphoto via Getty Images

Crypto company Nomad said it’s offering hackers a bounty of up to 10% to retrieve user funds after losing nearly $200 million in a devastating security exploit.

Nomad pleaded with the thieves to return any funds to its crypto wallet. In a statement late Thursday, the company said it has so far recouped more than $20 million of the haul.

“The bounty is for those who come forward now, and for those who have already returned funds,” Nomad said.

Nomad said it won’t take legal action against any hackers who return 90% of the assets they took, as it will consider these individuals to be “white hat” hackers. White hats are like the “ethical hackers” in the cybersecurity world. They cooperate with organizations to alert them to issues in their software.

It comes after a vulnerability in Nomad’s code allowed hackers to make off with around $190 million worth of tokens. Users were able to enter any value into the system and then withdraw the funds, even if there weren’t enough assets available on deposit.

The nature of the bug meant users didn’t need any programming skills to exploit it. Once others caught on to what was going on, they piled in and carried out the same attack.

Nomad said it is working with blockchain analysis firm TRM Labs and law enforcement to trace the stolen funds and identify the perpetrators behind the attack. It is also working with Anchorage Digital, a licensed U.S. bank focused on the safekeeping of cryptocurrencies, to store any funds that get returned.

The weakest link

Nomad is what’s called a crypto “bridge,” a tool that links different blockchain networks together. Bridges are a simple way for users to transfer tokens from one blockchain to another — say, from ethereum to solana.

What happens is users deposit some tokens, and the bridge then generates an equivalent amount in “wrapped” form on the other end. Wrapped tokens represent a claim on the original, which users can trade on platforms other than the one they were built on.

Given the sheer quantity of assets locked inside bridges — plus bugs making them vulnerable to attacks — they’re known to be an appealing target for hackers.

“Currently those bridges accumulate a lot of money,” Adrian Hetman, tech lead at crypto security firm Immunefi, told CNBC.

“When there is a lot of money in certain places hackers are prone to find vulnerability there and steal that money.”

The Nomad attack was the eighth-largest crypto hack of all time, according to blockchain analysis firm Elliptic. There were more than 40 hackers involved, one of whom gained just under $42 million, Elliptic said.

The exploit brings the total amount stolen from cross-chain bridges this year to over $2 billion, according to crypto security firm Chainalysis. Out of 13 separate hacks, the largest was a $615 million attack on Ronin, a network linked to the controversial crypto game Axie Infinity.

In a separate hack Tuesday, around $5.2 million in digital coins was stolen from nearly 8,000 wallets connected to the solana blockchain.

Crypto startup Nomad this week lost around $190 million in a devastating security exploit.