Nomad, a bridge protocol for transferring crypto tokens across different blockchains, lost close to $200 million in a security exploit on Monday, according to security firm PeckShield Inc.
The software system was drained of funds over hours and in small batches by various accounts, blockchain data shows.
"An investigation is ongoing and leading firms for blockchain intelligence and forensics have been retained," the company said in a statement. "Nomad's goal is to identify the accounts involved and to trace and recover the funds."
The attack makes Nomad the latest bridge to suffer an exploit this year. Bridges are software that enable different types of blockchains and their respective tokens to interoperate, rather than work in silos.
They have become frequent victims of hacks in recent years, with more than $1 billion stolen from bridges in 2022, according to a June report by forensics firm Elliptic.
To convert one type of coin into another, a bridge service will typically "wrap" a cryptocurrency so that it can operate on another blockchain. The bridge will need to hold reserves to back the wrapped coins, creating a huge pool of tokens for hackers to target.
The complexity of bridge software can lead to errors and make them vulnerable for exploitation, said Mudit Gupta, chief information security officer at Polygon. Since bridges control huge amounts of assets, it also makes them an attractive target for hackers, he said.
Axie Infinity's Ronin bridge lost about $600 million in March and Harmony's Horizon was drained of $100 million in June.
The hack comes days after Nomad, which describes itself as a "security-first" cross-chain messaging protocol, announced the full list of investors in its $22 million seed round led by Polychain Capital. Other backers include Ethereal Ventures, Hack VC, Coinbase Ventures and Crypto.com Capital.
Nomad's protocol had a software bug that allowed users to withdraw more assets than were deposited in the bridge, said Elliptic Co-founder Tom Robinson.
"After the initial hack, upwards of 40 other exploiters - comprising MEV bots, flashbots, and independent exploiters - replicated the attack in a manner that quickly drained the bridge," Robinson said.
One of the exploiters on Nomad was also involved in the $80 million hack from Rari Capital's Fuse platform from April, according to PeckShield.