Nomad lost $190 million in a hack of its cross-blockchain bridge on Monday. Its team says it’s working with law enforcement, has hired blockchain intelligence and forensics experts, and aims to recover the funds.
Cross-blockchain bridges use smart contracts to enable token transfers between blockchains. Bridges will typically receive and hold the tokens on one chain, then issue “wrapped” versions of those tokens on another. Despite the enormity of the sum, Nomad’s hack is otherwise unremarkable in what has become a devastating repetition of bridge hacks.
Consider the following examples from recent months:
- Hackers stole $326 million from the Ethereum-Solana bridge Wormhole in March (lead investor Jump Crypto reimbursed the 120,000 ETH).
- Another black hat group stole $611 million from Poly Network last year.
- Harmony ONE’s bridge lost $100 million to a hack two months ago.
The largest attack of 2022 so far happened in March when hackers stole $624 million from the Ethereum-Axie Infinity bridge Ronin Network. The FBI traced the attack to North Korea’s Lazarus Group.
Nomad claimed it was secure before the hack
Nomad’s lost $190 million will certainly have its own ramifications. Impacted organizations include Evmos, an Ethereum Virtual Machine (EVM) hub built on the Cosmos (ATOM) blockchain. Evmos’ team says it’s working with Nomad to investigate the exploit’s impact on users.
Fearing contagion, users of other Nomad-connected protocols also withdrew their funds. For example, Moonbeam and Milkomeda’s reported Total Value Locked (TVL) immediately fell in the aftermath of Nomad’s breach.
All along, Nomad claimed that it had learned from previous bridge hacks. It was, of course, building an innovative solution that could remain impervious to foul play. Nomad broke from tradition, building its cross-chain bridge as an app atop messaging channels. It promised a platform for cross-chain apps (“xApps”) like NFT bridges and cross-chain lending platforms.
Nomad worked with Evmos to create a bridge between Ethereum and Cosmos, an especially complicated multi-blockchain blockchain. Soon, Nomad supported Ethereum Mainnet, Cosmos, Moonbeam, and Avalanche blockchains.
In April 2022, Nomad raised $22.4 million in a seed round that included Coinbase Ventures, OpenSea, Gnosis, and Polygon. In an accompanying press release, the firm claimed to have processed $700 million from 14,000 users. It advertised use cases like sending ERC-20 tokens (not just ETH) to Ethereum Virtual Machines (EVMs) on other chains. It also provided an SDK for developers who wanted to build apps on its message-passing channels.
Nomad advertised utilities like on-chain governance for DAOs and asset issuance for token creators.
Reality sets in as Nomad hack ensues
In truth, Nomad learned very little from other bridge hacks. It succumbed to similar exploits of its permissionless system and failed to stop hackers despite hours of well-publicized attacks.
A Paradigm researcher referred to the Nomad hack as “one of the most chaotic hacks that Web3 has ever seen.” He said anyone with a basic understanding of code could have exploited Nomad’s smart contract by replacing another person’s address with their own.
According to them, Nomad’s developers added a trusted root that, astonishingly, simply automatically proved all messages in its recent network upgrade. Commenting on possibly foul play, the researcher noted the error could have been unintentional and, by itself, does not necessarily prove that Nomad’s developers were in on the exploit.
Users who wanted to protect themselves were forced to exit entire blockchains and seek asylum inside Ethereum. A person going by “Paradigm Engineer #420” recommended removing all assets from Nomad, Evmos, Moonbeam Network, and Milkomeda and send the assets back to Ethereum using a different bridge.