Nomad bridge hacked, wingriders liquidity impacted
Nomad bridge, a Coinbase-backed cross-chain bridge has been hacked, leading to the loss of funds. An estimated $190 million has been lost via this exploit.
This hack was made possible by a bug that was deployed in a recent smart contract update on Ethereum's side of the bridge.
WingRiders TVL nose-dives
Wingriders is one of Cardano DEXes that has been impacted heavily by this exploit. The DEX's smart contracts haven't been compromised i.e Wingriders wasn't hacked. However, most of its liquidity was in bridged-assets pools i.e madUSDC/ADA, madUSDT/ADA, madWBTC/ADA & madWETH/ADA pools.
madUSDC, madUSDT, madWBTC & madWETH were assets availed by the DEX via the nomad bridge. The hack means that 50% of liquidity in these pools has been lost; unless of course some of it can be somehow recovered.
The wingriders team has confirmed that over 77% of their bridged assets were swapped.
4/ The project had 333k in bridged stables from the whitelist sale. Due to a bad judgment call of a team member 258k of these were swapped. The small proceeds of 76k ADA will be used for user loss compensations where possible. Once the situation stabilizes.— WingRiders (@wingriderscom) August 2, 2022
The WRT team also confirmed that its own WRT token uses separate channels i.e Milkomeda and Celer bridges to move between Cardano and the Binance Smart Chain.
Following the nomad hack:
- Wingriders has lost the first position as the largest DEX on Cardano.
- WRT token price dropped from 1.2 ADA per WRT to below 0.65 ADA per WRT
- Yield farming on nomad assets will be halted after epoch 354 on wingriders. Rewards for epoch 354 will be distributed as usual
- Liquidity providers and the team on wingriders lost funds.
Other affected platforms
Occamx, a cross-chain dex, also seems to have been affected by the nomad bridge drain. However, the DEX Its TVL on Defillama seems to have taken an abrupt deep at around the same time of the Nomad hack.
Occamx has madUSDC/mADA, madUSDT/mADA, madBTC/mADA & madETH/mADA farm pools.
The DEX responded about the hack yet with a response post. They acknowledged lost of funds on the aforementioned pools madDAI, and madFRAX. OccamX also removed all pools and farms with the affected assets. Users with unwithdrawn assets on these pools will still have access to their funds.
In addition to the above precautionary measures, the DEX removed the link to the Nomad bridge from their product.
Other than WingRiders and Occamx, DeFi projects on Milkomeda, EVMOS, Moonbeam blockchains were affected as well.
Is there hope for liquidity providers who lost their funds?
In a response post, Wingriders has hinted that some of the funds lost in the hack might have been recovered. As more details appear, users will know if they can recover some of their losses.
it looks like a portion of the funds has been recovered by white hat hackers and the funds may be returned to users partially. It is early to speak about numbers, let’s hope for the best. ~ Wingriders on Medium
There's also a question of what steps the team behind the Nomad bridge does to make amends; if they can. The team is said to have been backed by Coinbase, Polygon, Gnosis, OpenSea, Crypto.com, and Wintermute.
Author's Opinion: How ever this crypto heist episode turns out, there are two lessons to be learned here:
Development teams behind cross-chain bridges should leave no stones unturned while deploying their software updates. Mandatory thorough audits!
Investors should be super careful about locking in their investments in bridged assets.
Bridge exploits have enabled almost all the largest DeFi hacks to date.
First published on Aug 2, 2022