Blockchains Wrestle with 'Significant Threat'
Nomad Hack Exposes Weakness of Cross-Chain Bridges
By: Aleksandar Gilbert •Dive
Earlier this year, a Cardano user going by the pseudonym Arctic Alpha was frustrated there were no dollar-pegged cryptocurrencies on his preferred blockchain. So he decided to use a bridge protocol called Nomad to bring “multiple six figures” of USDC he’d purchased on Ethereum to Cardano.
Arctic Alpha deposited the USDC on Nomad, and Cardano minted an equal number of “wrapped” USDC. He put the wrapped USDC into a liquidity pool on Cardano and, for a while, earned between 20% and 30% APR on his deposit.
When the crypto market tanked this year, the APR on his deposit tanked with it, and Arctic Alpha decided to withdraw the USDC, leaving a hair over $100,000 in Nomad, just in case.
Monday night, scrolling through Twitter, he saw something that made his heart sink.
“Someone said, ‘Hey, [here’s] a little breakdown of what happened on Nomad,’” he told The Defiant in an interview this week, “and I was like, ‘You gotta be kidding me.’”
Arctic Alpha was one of many people who lost money when some 300 attackers took advantage of a bug in Nomad’s software to steal a combined $190M, according to a spokesperson for crypto security from PeckShield.
The hack made off with almost all the money entrusted to the nascent protocol. (Ethical hackers who exploited the bug to squirrel away money for safekeeping have since returned almost $20M, according to data on Etherscan.)
About $2 billion in cryptocurrency has been stolen from cross-chain bridges like Nomad in 13 separate hacks in 2022, according to crypto analytics firm Chainalysis.
“Attacks on cross-chain bridges account for 69% of total funds stolen so far this year,” Chainalysis said. Then, perhaps stating the obvious: “This represents a significant threat to building trust in blockchain technology.”
Reliance on the Bridge
Bridges allow their users to move digital assets between otherwise incompatible blockchains, such as Ethereum, Cardano, and Solana. Proponents envision a “cross-chain” universe where no single blockchain is dominant and assets move seamlessly between them.
But those bridges are lucrative targets. Federico Kunze Küllmer, the co-founder and director of the Evmos blockchain, said Monday’s hack has taught him a valuable lesson.
“Nomad supported us through all the stages of our development,” Küllmer told The Defiant over Zoom this week. “We didn’t have any interoperability other than Nomad directly to Ethereum and other EVM compatible chains.”
At the time of the hack, 90% of the USDC on Evmos had been bridged over Nomad, Küllmer said, giving an example of his chain’s reliance on the bridge.
‘There wasn’t anything from our side that we could have done to prevent the vulnerability from happening.’
Federico Kunze Küllmer
Since the hack, the total value of crypto assets locked in Evmos has dropped to $1.4M from $6.3M. Other blockchains have also lost liquidity in the days since. Moonbeam had $187M in total value locked before the hack, and is now down to $59M. Milkomeda lost almost half its assets.
“There wasn’t anything from our side that we could have done to prevent the vulnerability from happening,” Küllmer said. “We could have halted the chain, preventing tokens on Evmos from being traded or bridged over to Ethereum, et cetera.”
Choosing Nomad as Evmos’ “canonical” bridge wasn’t just about their support; it was also a tradeoff Küllmer made, he said: security for user experience. When teams of developers built applications for Evmos, Küllmer would suggest they partner with Nomad.
Because each bridge “wraps” tokens brought over from their originating blockchain and creates a new, derivative token redeemable for the original, USDC bridged to Evmos from Nomad isn’t fungible with USDC bridged via Multichain, a competing protocol.
Targets for Hackers
“I pushed to improve the user experience. We decided to work with no matter as our canonical bridge, working closely with applications,” he said. “The trade off was UX versus the security of having one single bridge, that in this case, got exploited, and now all the applications that were using it were severely affected.”
Küllmer said there are several reasons bridges have become such popular targets for hackers. For starters, they store a lot of money. They also provide easy exit liquidity for attackers, who can quickly move the funds to their destination of choice.
And because the technology required to move assets from one chain to another is so complicated, there are more lines of code, more room for error, and a larger “surface area for attacks.”
Küllmer still believes the technology Nomad had used was sound.
“Honestly, [the hack] was a variable that was not properly covered — it had nothing to do with the security of the bridge itself,” he said. “We believe in the team, and still do. The team is very technical and skilled.”
Nevertheless, bridge protocols will struggle going forward, he predicted. Indeed, Monday’s incident has changed how Evmos will approach the technology.
“There won’t be any more canonical bridges. Bridges themselves … will have to directly do the business development with applications instead of the protocols. That will happen in our case, most likely.”
That raises the issue of fungibility of tokens wrapped by different blockchains, but Küllmer said there were ways around that issue.
Evmos will also double down on existing liquidity incentives for users and developers, Küllmer said, as well as “native interoperability” — the ability to move assets between blockchains without a bridge.
Küllmer was part of the Cosmos blockchain team that built the inter-blockchain communication protocol, or IBC, and he predicted chains with native interoperability would gain at bridge’s expense.
As for Arctic Alpha, he was one of the lucky few.
“It’s more annoyance — that’s my primary feeling,” Arctic Alpha said. “I’m still fine financially, thankfully.”