The interoperability of blockchains is being talked about as the future of cryptocurrencies. But there is a catch. Two interconnected blockchain networks may be secure, but the weakness may be at the point of interconnection. The Nomad bridge, which was hacked, was used for this interconnection. What does the hack mean for Cardano?
Bridges, as the name suggests, are used to bridge and connect two or more blockchains. They make it possible to use the coins and tokens of one blockchain on another blockchain. Bridges typically work by locking up tokens in a smart contract on one chain and then reissuing those tokens in “wrapped” form on another chain.
It is possible to use ETH coins of the Ethereum network in the Cardano network. For example, a smart contract will lock 100 ETH on the Ethereum side and issue 100 wrapped ETH on the Cardano network. On the Ethereum network, the ETH coins are still locked while on the Cardano network the wrapped ETH can be used freely. The bridge can also do the reverse process, where it burns the wrapped ETH in the Cardano network and releases the original ETH into the Ethereum network.
Nomad is a token bridge that allows users to send and receive tokens between Avalanche, Ethereum, Evmos, Moonbeam, and Milkomeda blockchains. Through Milkomeda, Nomad tokens could be used in the Cardano network. Thanks to the connection between Cardano and Ethereum, it was possible to swap Nomad tokens such as USDT, USDC, BTC, and ETH on the WingRiders exchange. Nomad tokens could be held in a Cardano wallet as they were essentially Cardano network tokens.
Tokens are issued at a 1:1 ratio, so a wrapped token is worth the same as the original. A smart contract is essentially like a custody service that must ensure that the value of the token is only used on a single network at any given time.
A hacker attacked a smart contract in Nomad bridge in which tokens were locked. The hacker succeeded in draining almost all locked tokens. At this point the wrapped tokens essentially had no backing, rendering them worthless. The total loss is 200M USD.
It is not yet known exactly what caused the problem, so it is premature to draw conclusions. It seems likely that Nomad’s smart contracts allowed users to easily forge transactions. When a user transferred funds from one blockchain to another, Nomad reportedly never carefully checked the amount. This allowed users to withdraw funds that did not belong to them. For example, an attacker could send 1 ETH and then manually call a smart contract on the other blockchain to retrieve 100 ETH.
Most bridge hacks are caused by a single attacker or a single team. In this case, however, information about the vulnerability got out, so multiple people started attacking independently. Fortunately, there were white hackers among the people who are determined to get the funds back. Nomad has already published an address to which the funds can be returned.
Nomad bridge has passed the security audit. However, it appears that the bug that led to the vulnerability was introduced into the smart contract on the Ethereum side via an update. It shows how important it is to do a security audit again every time an update occurs.
The bug was not on the Cardano, Milkomeda, or WingRiders side. All the teams of these projects are innocent, but the entire ecosystem will suffer the consequences.
The WingRiders team wanted to bring tokens from the Ethereum network into the Cardano ecosystem, which the community wanted and appreciated. WingRiders has a quality team and sought out the best available partners to work with. The Nomad bridge seemed to be a secure solution with a highly reputable team behind it. Nomad bridge was audited in June 2022 by Quantstamp, one of the leading blockchain and smart contract auditors in the space.
There is no vulnerability in the WingRiders smart contracts and DEX continues to work without issue. Unfortunately, Nomad tokens have lost their value, which is technically not DEX’s fault.
The most affected are all those who held Nomad tokens, as their value at the time of writing is lower than their original counterparts. WingRiders DEX is also affected, as users have gotten scared to use the exchange and Total Value Locked (TVL) has decreased.
It is important to stress that there is no fault in the Cardano network. The same goes for Milkomeda and WingRiders. Everything is still as secure as before the hack. There was a bug in the Nomad bridge software that was supposed to connect the two networks. The Nomad team is working hard to resolve the issue.
The Nomad team should resolve the issue and ideally compensate all Nomad token holders for the loss. The WingRiders team should work with the Nomad team to insist on transparent communication and a quick resolution. If the cryptocurrency space is to earn a good reputation, it must not betray users in the first place.
It turns out that bridges are still the weak point of decentralization and connecting blockchain networks will be more complex than it initially appeared. Cardano’s network may be one of the most secure networks in the entire cryptocurrency space, but once it connects to another network, the team and consequently the entire infrastructure will not have security fully under their control. This is important to realize.
Native tokens are the most secure. The whole Cardano community is waiting with excitement for an algorithmic stablecoin Djed. It would be a great help if Circle would issue USDC tokens on Cardano. Maybe this is a chance for some team to come up with something similar to USDC. Wrapped tokens are a big risk at the moment.
We need bridges because, without them, blockchain networks will be impossible to connect. This would be a great pity, as it would be impossible to use BTC tokens in the Cardano network, for example. There will never be a DeFi over Bitcoin. Bitcoin has already missed the train and everything important is happening on smart contract platforms. Secure and reliable bridges are one of the last pieces of the puzzle that will allow us to connect blockchain networks.
No one, including bitcoiners, want to entrust their coins to centralized intermediaries. Bad experiences with Three Arrows Capital, Celsius, Voyager, and BlockFi are still alive. Some DEXex has similar volumes to centralized exchanges. This is a very positive trend and decentralization is bound to win. Losing money is annoying and hurts. Together we need to get past this phase and continue to work hard on secure solutions. That is the only way.
We feel sorry for everyone who is now holding Nomad tokens and wondering what to do with them. When the end is good, everything will be good. It is extremely important that the Nomad team handles the problem well, communicates, and compensates users for their losses.
We hope that WingRiders users will understand the nature of the problem and come back. It is still one of the best DEX in the Cardano ecosystem.
Cardano will survive the Nomad hack as he is only marginally affected by the problem. On the other hand, it is important to have reliable native stablecoins available in the ecosystem as soon as possible.
Read the original article: