Nomad token bridge hacked in nearly $200 million exploit. Here's what happened

Nomad is a cross-chain communication standard that enables cheap and secure transfers of tokens and data between chains, and allows users to send and receive digital tokens between different blockchains.

Explaining how the Nomad bridge hack took place, @samczsun, a researcher at crypto investment firm Paradigm, explained that a recent update to one of Nomad’s smart contracts made it easy for users to spoof transactions. This meant users were able to withdraw money from the Nomad bridge that didn’t actually belong to them.

“This is why the hack was so chaotic - you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it. A routine upgrade marked the zero hash as a valid root, which had the effect of allowing messages to be spoofed on Nomad. Attackers abused this to copy/paste transactions and quickly drained the bridge in a frenzied free-for-all," he explained in a series of tweets.

Bridges are software that enable different types of blockchains and their respective tokens to interoperate, rather than work in silos. Bridge attacks have become more frequent in recent months as crypto-users have demonstrated an increased appetite for swapping assets between different blockchains.

The hack comes days after Nomad announced the full list of investors in its $22 million seed round, which was led by Polychain Capital, with participation from backers including Ethereal Ventures, Hack VC, Coinbase Ventures and Crypto.com Capital.

(With inputs from agencies)