[12/20/22 Update: The Nomad Token Bridge has been relaunched and madAsset holders can begin the process of unbridging as outlined in the post below. If you require support, please reach out via our Discord or Twitter.
Note: As of the writing of this post, ~$1.2M USD-equivalent is still remaining in the staging wallet. Additional operations to unwind ~$605K USD-equivalent are ongoing, and the remaining ~$588K is set aside to payout bounties that have been requested.]
Since the Nomad Token Bridge hack, the team has been working hard on recovering funds and making the necessary updates to safely relaunch the Nomad Token Bridge. As of now, here is an overview of the status of the three steps in the process for the bridge relaunch:
- Upgrade Smart Contracts: Complete
- KYC Verification: Open
- Front-End Testing: Ongoing (TBC soon)
In preparation for the bridge relaunch, we wanted to share more info on how the relaunch will work and provide more details. This post has three parts:
- A Summary of Protocol Updates
- The Process for Bridging Back
- The Bridge Operation Plan Going Forward
Part 1: A Summary of Protocol Updates
We are upgrading the Nomad protocol for two primary reasons: to fix the vulnerability that led to the hack of the Nomad Token Bridge, and to allow for users to bridge back madAssets and access a pro-rata share of recovered funds.
We fixed the contract implementation vulnerability that led to the Nomad Token Bridge hack quickly, but the Nomad Token Bridge also needed to be redesigned to allow users to bridge madAssets back independent of the amount of recovered assets. Without this redesign, the first people to bridge back their madAssets would receive canonical tokens on a one-to-one basis until there were no canonical tokens left. Instead of leaving it as first-come, first-served, protocol changes were implemented that would:
- Give users the ability to bridge back and access a pro-rata share of already recovered funds ASAP;
- Ensure the tokens accessed from bridging back are in the original token that users had originally sent to the Nomad Bridge; and
- Provide a mechanism for impacted users to access future recovered funds if they become available.
Given the scope of these changes, a full audit of the smart contracts was completed along with an additional re-review of any remediations with our auditors. We expect to be able to share a summary of the audit publicly in the upcoming weeks.
Part 2: The Process for Bridging Back
In order to allow impacted users to begin bridging back, there will be a three-step process:
Step 1: Submit KYC Information
In order to access recovered funds, all users must successfully complete the KYC/AML verification process and link their wallet address(es) to their Coinlist account. This is necessary so we can be certain that recovered funds are accessed in a compliant manner. Users can start the process here and can find more information in the Coinlist Wallet Linking FAQs.
Step 2: Bridge back and receive NFT
Pending successful completion of Step 1, users will be able to bridge back madAssets to Ethereum and receive a unique NFT that accounts for the type and quantity of asset that is eligible to be bridged back. We will provide an update on the timing that users will be able to begin step 2 by updating this post and on our official Twitter and Discord channel.
Step 3: Use NFT to access recovered funds
The NFT grants access to a portion of the bridged asset equivalent to the recovered percentage of that asset. Users will be able to complete this step once Step 2 has been completed.
As we’ve mentioned before, users will retain ownership of their NFTs even after they access a pro-rata share of recovered funds. This will allow impacted users to continue to use these NFTs to access additional recovered funds in the future. Please note that these NFTs are soulbound / non-transferable.
To begin the process of bridging back, please visit: https://app.nomad.xyz/ or go to https://verifyplus.coinlist.co/nomad-recovery/onboarding to begin the KYC verification process.
Pro-Rata Asset Shares
The amount of recovered assets that users will be able to access will be determined based on pro-rata shares of recovered funds. To understand pro-rata shares, here’s an example: if 10% of the total exploited ETH has been recovered, and Alice has an NFT that accounts for 20 ETH (what she originally bridged to Ethereum), Alice will be able to use her NFT to access 2 ETH. The process for determining pro-rata shares will be applied similarly for each canonical token that was exploited and users will be able to view a pro-rata share of a specific token as part of the metadata associated with their recovery NFT(s).
There is some complexity in calculating the total pool of recovered funds for each exploited token because some whitehats returned different tokens than they took in the hack (ex: a hacker stole ETH, swapped the ETH for DAI, and then eventually returned DAI). We go into deeper depth on the methodology for calculating the total recovered funds for each token in this post, but a summary is as follows:
- Map recovered funds back to the relevant hack transaction(s).
- If a token different from the stolen token(s) was returned, returned tokens will be unwound back to the canonical token that was stolen.
- Aggregate the total amount of recovered tokens to get the total pool of recovered funds for each token.
We do not yet have a way for users to check the total amount of recovered funds by token, or pro-rata shares of hacked tokens, but we will share that information as soon as we can and will link it in this post.
Part 3: Bridge Operation Plan Going Forward
While many of the details related to operating the Nomad Token Bridge are in flux and may change over time, we wanted to share the key pieces of information we do have about operations.
Impacted Chains
The only chain impacted by the hack was Ethereum. This means that if the tokens you bridged over the Nomad Token Bridge were canonical assets of a non-Ethereum chain (eg. GLMR (canonical on Moonbeam) or EVMOS (canonical on Evmos)), you will only need to go through the KYC process to bridge back as normal.
Timing of NFT Minting and KYC Verification
Users can begin submitting their KYC for verification now at https://app.nomad.xyz/. The KYC verification will be done by Coinlist, and we expect this process will take 1–7 days for individuals and 1–3 weeks for other entities (companies, DAOs, etc.). FAQs on this process can be found here. We will process approvals from Coinlist daily, so once you receive a notification that your KYC has been approved, you will be able to bridge back your madAssets (and subsequently mint your NFT) within 48 hours.
Future Asset Recovery
Any funds recovered after launch will be made available pro-rata based on the process outlined above. Recovered funds will be batched, processed, and made available for access via the process described above on a regular basis.
Locking New Funds
No new canonical tokens will be allowed to be bridged in the Nomad Token Bridge contracts (on any chain) at this time.
The road to relaunching the Nomad Token Bridge has been challenging, but we thank our community, partners, and friends who have provided help and support to make this recovery process possible.
