On August 1, 2022, the Nomad bridge was hacked and all $190M in crypto assets were drained. The Clipper team has spent the past few days investigating the issue and how it has affected the Clipper DEX and community, and decided on a different approach for Clipper’s bridge strategy going forward. Here’s what you need to know:
Background: What is a crypto bridge?
For context, a “bridge” is protocol for transferring assets from one blockchain to another blockchain. For example, users who want to bridge ETH from Ethereum to Moonbeam first have to deposit ETH into the Bridge Provider’s Ethereum Smart Contracts, then the Bridge Provider will mint their own version of ETH on Moonbeam (let’s call this Moonbeam-ETH) and transfer them to the user. Since there are multiple bridge providers, there are multiple versions of ETH on Moonbeam. For instance, Nomad mints Moonbeam-ETH-nomad, Multichain mints Moonbeam-ETH-multichain, and Synapse mints Moonbeam-ETH-synapse.
Obviously, this can get incredibly confusing, and some blockchains have attempted to simplify this by designating an official bridge so that in practice everyone just uses one form of each asset. In any case, the important consideration is that each version of Moonbeam-ETH only has value insofar as it is backed 1:1 by actual ETH on Ethereum, and can be redeemed by bridging back. At least that’s how it’s supposed to work.
Status of Clipper Moonbeam Pool & Funds
Unfortunately, hackers were able to drain all the assets from Nomad’s Ethereum Smart Contracts. That means the Nomad version of those assets on Moonbeam are no longer redeemable 1:1 and thus effectively worthless. As a result, all Nomad assets on Moonbeam are trading for pennies on the dollar against non-Nomad assets like GLMR or Moonbeam-ETH-synapse.
Unfortunately, Clipper’s Moonbeam pool traded Nomad’s version of each asset (namely, Moonbeam-ETH-Nomad, Moonbeam-WBTC-Nomad, Moonbeam-USDC-Nomad, Moonbeam-DAI-Nomad, Moonbeam-USDT-Nomad). We chose the assets from this bridge at the recommendation of Moonbeam’s core contributors. Over 50% of all TVL on Moonbeam was bridged through Nomad and is similarly affected.
Prior to the Nomad hack, Clipper’s pool on Moonbeam had ~$400K of TVL. Of that, ~$350K was made up of protocol-controlled value previously funded by grants and ~$50K provided by Clipper community members, including the personal capital of Clipper core contributors. Now, these funds are effectively worth zero unless Nomad can recover the funds or raise other capital to reopen redemptions. We are awaiting news from Nomad but have no more information than the general public. We remain impressed by everything that the Moonbeam ecosystem has accomplished, but we do not plan to make any decisions on the future of Clipper on Moonbeam until we receive further news.
What does this mean for bridges in the future?
The Nomad hack is especially bad – not just because of the funds lost but because of the existential question it raises for bridging and a multichain world.
Prior to Nomad, nearly all of the bridges that have been hacked used a trusted security model, where funds were essentially secured by a multisig, and users rely on the reputation of the bridge operator to ensure the security of funds. For example, Ronin required 5 out of 9 total validators to approve deposits and withdrawals (and Sky Mavis controlled 4 of the validators at the time). A hacker was able to take control over 5 of the validator wallets and withdraw funds from the bridge contract. Similarly, the Harmony bridge was secured by a 2 of 5 multisig and a hacker was able to take control of 2 of the addresses to drain the bridge. While regrettable, ‘trustless’ bridge models were already in development, and the future of bridging felt bright. Nomad was a shining example of a trustless model.
Nomad’s exploit, however, shows that even trustless bridges are susceptible to exploits. This is depressing because we don’t have an alternative model to give us hope. Any bridge as they are currently architected is going to create (a) an enormous honeypot on one side and (b) systematic risk for the entire ecosystem that is reliant on the bridge. We need a new paradigm for bridge design.
Believe it or not, we might be able to draw lessons from TradFi. Bridging between chains feels an awful lot like exchanging sovereign currencies between countries. In TradFi, the correspondent banking system and FX market handles day-to-day ‘bridging’, while periodically banks and countries settle up with each other through their respective central banks. Back when the world was on the gold-standard, countries would periodically settle up by moving gold back and forth. Perhaps this is how bridging should work in the multichain world. Day to day bridging could be done via a marketplace of private actors with capital on both chains. Periodically, big chunks of net value could be shifted from one chain to another in a very unwieldy but very secure process, perhaps built into the security model of the chains themselves. Perhaps the dream of a trustless & secure bridge for day-to-day amounts of money is simply unnecessary.
As a result, we expect future bridges to emerge that are incredibly secure but impractical to use on a day-to-day basis, because they trade off usability for security. Meanwhile, a variety of entities will facilitate swaps (as distinct from bridging) across chains. This will effectively allow every-day users to jump from assets on one chain to previously bridged assets on the other chain in a user-friendly manner. This is something we expect to see in the near future, but in the meantime we have developed our own plan of action.
What will Clipper’s bridge strategy be going forward
Going forward, we intend for Clipper to facilitate cross-chain swaps itself using a new, dedicated asset as the common numeraire. Meanwhile, we intend for the assets in the pools on other chains to be restricted to the most secure bridge available, with no consideration given to their usability.
By splitting day-to-day cross-chain swaps from the process of bridging, we can provide a user-friendly cross-chain experience for retail traders without any compromises on bridging.
What will happen to Clipper on Moonbeam?
We really don’t know. This really depends on Nomad. If they can negotiate a bailout, perhaps by recapturing some of the lost funds or through a deep-pocketed investor (see Jump Crypto’s bailout of Wormhole), then the assets in Clipper’s Moonbeam pool will again have value and trading can resume (note: withdrawals are noncustodial and permissionless, and are still open). If there is no Nomad bailout, then it probably depends on what happens to the Moonbeam ecosystem, which lost 70% of its TVL as a result of the hack.
We think very highly of Moonbeam and the Polkadot ecosystem, and are bullish that the ecosystem can emerge stronger than before. However, this is likely a precondition for Clipper to begin Moonbeam trading again, since Clipper will need a baseline of sufficient liquidity, which comes from the community. In other words, stay posted – we will provide answers and plans when we have more information. In the meantime, we appreciate the Clipper community’s patience and support. This was an unexpected breach that took the DeFi sector by surprise, and we know some dedicated Clipper users have been personally affected by its fallout. That’s why we’re doing our best to get some answers and ensure that something like this never happens again.