Crypto startup Nomad offers 10% bounty after $190 million hack

Crypto company Nomad said it is offering hackers a bounty of up to 10% to retrieve user funds after losing nearly $200 million in a devastating security exploit.

Nomad begged the thieves to return any funds to the crypto wallet. In a statement late Thursday, the company said it has so far raised more than $20 million from the haul.

“The reason is for those who are coming forward now, and for those who have already returned funds,” Nomad said.

Nomad said that they will not take legal action against any hackers who return 90% of the assets they took, as they will consider these people to be “white hat” hackers. White hats are like the “ethical hackers” of the cybersecurity world. They work with organizations to notify them of problems in their software.

It comes after a vulnerability in Nomad’s code allowed hackers to make off with about $190 million worth of tokens. Users could deposit any value into the system and then withdraw the funds, even if there were not enough assets available on deposit.

The nature of the bug meant that users needed no programming skills to exploit it. When others caught wind of what was going on, they swooped in and carried out the same attack.

Nomad said it is working with blockchain analytics firm TRM Labs and police to trace the stolen funds and identify the perpetrators of the attack. It also partners with Anchorage Digital, a licensed US bank focused on custodial cryptocurrencies, to store any funds that are returned.

Nomad is what is called a crypto “bridge”, a tool that connects different blockchain networks together. Bridges are an easy way for users to transfer tokens from one blockchain to another – for example, from ethereum to solana.

What happens is that users deposit some tokens and the bridge then generates an equivalent amount in “wrapped” form at the other end. Wrapped tokens represent a claim on the original, which users can trade on platforms other than the one they were built on.

Given the large amount of assets locked up in bridges – plus flaws that make them vulnerable to attack – they are known to be an attractive target for hackers.

“At the moment these bridges are raising a lot of money,” Adrian Hetman, technical director at crypto-security firm Immunefi, told CNBC.

“When there is a lot of money in certain places, hackers tend to find vulnerabilities there and steal the money.”

The Nomad attack was the eighth largest crypto hack of all time, according to blockchain analytics firm Elliptic. There were more than 40 hackers involved, one of whom got just under $42 million, Elliptic said.

The exploit brings the total amount stolen from cross-chain bridges this year to over $2 billion, according to crypto-security firm Chainalysis. Of 13 separate hacks, the largest was a $615 million attack on Ronin, a network linked to the controversial crypto game Axie Infinity.

In a separate hack on Tuesday, about $5.2 million in digital coins was stolen from nearly 8,000 wallets connected to the solana blockchain.