Cryptocoin “token swapper” Nomad loses $200 million in coding blunder – Naked Security

Cryptocurrency protocol Nomad (not to be confused with Monad, which is what PowerShell was called when it first came out) describes itself as “an optimistic interoperability protocol that enables secure cross-chain communication,” and promises that it’s a “security-first cross-chain messaging protocol.”

In plain English, it’s supposed to let you swap cryptocurrency tokens of one sort for another, in a trade known in the jargon as bridging.

The service is operated by a company going by the name of Illusory Systems, Inc.

Unfortunately, when it comes to cybersecurity, the word illusory seems to fit rather well.

Indeed, if you visit the Nomad “app page” right now [2022-08-02T14:25Z]you’ll notice that the service is entirely suspended, with the button you’d usually use to trade one cryptotoken for another replaced with the words BRIDGING UNAVAILABLE:

As the company’s Twitter feed notes:

Plainly told, it looks as though numerous persons unknown were able to trigger a series of transactions that paid out an enormous amount of various cryptocoins, without first paying in an equivalent amount of any other cryptocurrency.

According to cryptocurrency researcher @samczsunthe attackers were able to grab the funds by using what’s known as a replay attackwhich is exactly what it sounds like: you simply re-use the data from a previous transaction, but with the original recipient’s account details replaced with your own.

According to @samczsun, a recent update in the Nomad source code inadvertently bypassed the critical test at the point the system asked itself, “Has this transaction been approved?”

As long as the transaction data was correctly structured, the transfer would go through…

…so that simply copying an existing transaction, but modifying just the “payee” field, turned out to be the simplest and easiest way to pass muster and drain out funds.

Related posts


Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Indian Power Sector targeted with latest LockBit 3.0 variant

Estimated reading time: 5 minutesAfter the infamous Conti ransomware group was disbanded, its former members began to target the energy and power sectors...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!