Nomad bridge incident
This is a sad day for the whole crypto community. The root cause is another exploit having drained funds from a cross-chain bridge and affected many people across multiple blockchains.
The cross-chain token bridge Nomad was attacked on Tuesday early morning, with all of its funds drained by attackers. The hack resulted in the loss of cryptocurrencies worth close to $190 million.
This exploit did hurt users of many DeFi projects mainly on Milkomeda, EVMOS, Moonbeam and Cardano blockchains.
Similar to other cross-chain bridges, Nomad (an unrelated 3rd party to WingRiders and even Milkomeda) enables users to transmit and receive tokens between distinct blockchains. From information that is currently available it seems the bug used in the exploit was introduced with a recent update of smart contract on Ethereum side of the bridge. The exploit was not present when we last reviewed the audit released by Nomad.
We understand this is both frightening and frustrating for many of our users and the Cardano ecosystem as a whole. Our evaluation concurred with the previous evaluations by others pointing to a secure and safe partner to use for bridging stable coins and wrapped tokens first to Milkomeda side chain and then via Milkomeda bridge to Cardano. Some of the information that pointed to our decision is laid out below.
Audits
Before August 1st, the Nomad Bridge was well regarded and had not had any hacks, mailfuctions or thefts. In addition, they were audited in June 2022 by Quantstamp, one of the leading blockchain and smart contract auditors in the space. Link to report.
Experienced founders
Founding team, are experienced developers previously working at blue chip tech companies and crypto projects, such as IBM, Snapchat, C-Labs, Storj, Summa.
Backed by some of the biggest VCs
Nomad also had a strong venture backing and recently announced that they raised $22.5 million in funding at a $225 million valuation that was announced in April.
These backers are some of the biggest names in the space, including Coinbase, Polygon, OpenSea, and Crypto.com, market-maker Wintermute and decentralized finance (DeFi) platform Gnosis.
At the time we and the initial liquidity providers made the decision to use the Nomad Bridge as a means, along with the Milkomeda Bridge, to bring over wrapped versions of USDC, USDT, ETH and BTC, all our due diligence and Nomad’s standing as a secure bridge pointed to a viable and secure platform to use. It should be noted that we have no internal capabilities to audit each and every update of an EVM compatible bridge like Nomad and after the initial review, we have been relaying on their internal QA, security and release processes. Although we have some proficiency in Solidity, we are Haskell and Cardano (functional programming) developers and lack the capability to evaluate EVM code base with the sufficient rigour that we demand of our own products.
On the brighter side — it looks like a portion of the funds has been recovered by white hat hackers and the funds may be returned to users partially. It is early to speak about numbers, let’s hope for the best.
We hear you. This sucks. We lost funds as a project too. We will do our best to gather information and support the community and Nomad as best as we are able.
The collapse of the bridge caused liquidity providers to withdraw in masses from liquidity pools on Wingriders resulting in major TVL and WRT token price drop due to all the uncertainty around the incident.
It is important to note that WingRiders as project remains well funded, the platform fully functional, secure and we continue in the development according to our roadmap.
WingRiders