Nomad: The 5th Largest Hack In Crypto History

Cross-chain bridges were dealt another damaging blow Monday, as Nomad was exploited for $190 million, making it the fifth largest hack in crypto history.

The hack brings the total amount drained from cross-chain bridges in the last 12 months to $1.3 billion.

This is a truly unbelievable amount that has many, including Ethereum founder Vitalik Buterin, questioning whether bridges have a future in decentralized finance.

What Is Nomad?

Nomad describes itself as “an optimistic interoperability protocol that enables secure cross-chain communication.” Don’t worry; it sounds more complex than it is.

In plain English, Nomad allows users to transport tokens from one chain to another. For example, suppose I had $ETH on Ethereum but wanted it on Avalanche instead. In that case, I could use Nomad to send my $ETH from Ethereum to Avalanche.

Under the hood, Nomad is secured by an optimistic verification mechanism. This means that Nomad assumes every transaction submitted on the bridge is valid. However, each transaction must undergo a waiting period before being confirmed. During this waiting period, Watchers check the validity of the transaction. If it is found that the transaction is fraudulent, then the transaction is not confirmed.

It was the optimistic verification mechanism that went awry during the hack.

The Hack

On Monday, Nomad made a routine upgrade to the bridge. Unfortunately, as explained by Paradigm researcher @samczsun, they made a crucial mistake.

The team inadvertently made it so that transactions could be spoofed and did not have to be verified. This was a death sentence for a bridge that relied on optimistic verifications.

What makes this hack so unique and chaotic is who the hackers were. Usually, hacks are undertaken by coding geniuses who execute an intricate plan, like master thieves robbing a bank. This hack had none of that. Instead, it was more akin to looters stealing from a luxury store during a riot.

After the initial hacker found the exploit, other people discovered that they could do the same thing by simply copying a transaction that worked and changing the address with their own. News of this spread like wildfire, as people who wished to make a quick buck and white-hat hackers seeking to preserve Nomad’s funds rushed in.

A few hours later, Nomad was completely empty.

The Future of Bridges

Just because the Nomad hack is the latest in a long string of bridge hacks doesn’t make it any less painful. Many people lost a lot of money through no fault of their own.

To add insult to injury, Nomad had just closed a $22.4 million seed round in which they described themselves as “the gold standard for trust-minimized cross-chain communication.” Ouch.

Although bridges allow people to dream of a future of cross-chain applications and unified liquidity, it is clear that in their current state, they are just too dangerous. It’s tough to trust them when one mistake in a routine upgrade leads to the disappearance of $190 million.

Maybe Vitalik is right, and bridges have inherent limitations that can’t be fixed.

Perhaps he’s wrong, and there will be a truly secure bridge in the future. In any case, until that secure bridges come along, it is probably best to treat bridges with caution.