Nomad Bridge Hack Explained and How MAP Protocol Can Help
According to CertiK Alert, the cross-chain bridge Nomad Bridge was hacked on Monday, August 1st, resulting in estimated losses of nearly $200 million. The Nomad team has acknowledged the exploit as shown in the below Tweet:
What Happened?
Usually, a cross-chain bridge works by “wrapping” tokens in a smart contract and then issuing native assets to users that they can use on another chain. If the smart contract were to be exploited, the wrapped tokens would lose backing and become worthless. Unfortunately, this is where nefarious actors found a vulnerability in Nomad Bridge.
The Nomad team recently made an update to one of its smart contracts that opened the door for users to spoof transactions and withdraw money from Nomad Bridge that did not belong to them.
Unlike previous cross-chain bridge attacks (Ronin -$624m, Wormhole — $326m, Harmony — $100m, and QBridge — $80m) where there may be a single culprit behind the looting, the Nomad attack appears more chaotic. As explained by @samczsun, a researcher at crypto investment firm Paradigm, the loophole found in Nomad’s smart contract, allowed the hacker to “find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
A Deeper Dive into Nomad’s Cross-Bridge Design
The Nomad team could have avoided this attack; unfortunately, in February 2022, they stated that they gave up light clients in Nomad’s design due to the technical difficulties of implementing light clients. This choice has resulted in a loss of $190 million, and now the Nomad team needs to restore trust and confidence.
If Nomad Bridge had implemented the light client technology, which is the only decentralized cross-chain technology with maximum security, this attack likely could have been prevented. This should serve as yet another wake-up call for cross-chain security.
Developing and deploying light clients is not a “light” task. As the industry-leading omnichain infrastructure builder, MAP Protocol has prioritized light clients from day one and we’ve been investing in our full-stack development effort with over 20 experienced engineers for nearly four years. We’re thrilled that MAP Protocol, with cross-chain security as its heart and soul, will go live at the end of August.
As Nomad has learned from the attack on its smart contract, any service provider should thoroughly audit its services before it goes live. This is why MAP Protocol has gone through exhaustive code testing, utilizes hashed timelocks, and has engaged third-party professional auditors like Certik for extra assurance.
How Nomad Can Restore its Security and Confidence
To restore security and confidence, we hope the Nomad team will reconsider its earlier decision and go back to the light client technology, which MAP Protocol is built upon. In fact, we’d gladly support Nomad in all of the technical aspects of a light-client implementation.
Smart contract management will be another key issue for Nomad to address as it works to restore security and user confidence. This can be achieved through more stringent security practices — conducting triple code test cases, adding hashed timelocks before they go live, and engaging professional auditors.
About MAP Protocol
MAP Protocol is the omnichain layer for Web3 with fully secure cross-chain communication built on Light-client and zk-SNARK technology. MAP provides the cross-chain infrastructure to public chains and dApps by connecting both EVM with non-EVM chains. Developers can access a full suite of SDKs so their dApps can easily become omnichain applications.
Litebook | Website | Twitter | Medium | Telegram | GitHub | LinkedIn
