The Nomad bridge hack in the mid evening of August 1st surprised us all. A flurry of worry and emotions hit many communities upon hearing the news that the projects they support and have invested in may be in danger. However, communication has been at the forefront of our efforts to educate the communities on the specifics of the events that unfolded.
The History:
The Nomad Bridge, along with Milkomeda, teamed up to bring ERC20 bridging possibilities to Cardano. Nomad holding the contracts for ERC20 deposits, and Milkomeda holding the Cardano Native Token (CNT) equivalent to be distributed to users of the bridge from Ethereum to Cardano.
Charli3 supported the use of this bridge for users to be able to transfer their tokens to Cardano in a long-awaited migration event. At this point, Charli3 openly communicated that they would no longer support the ERC20 token, burned their ~56million remaining supply, and suggested all to bridge over to CNT where the full supply of 100million has been minted. Liquidity left on ERC20 was only user held and could be removed at any moment by those users, potentially leaving users without a way to liquidate ERC20 tokens. The plan was to keep the bridge open as long as possible to allow long-term holders and occasional wallet checkers the ability to swap to the supported CNT whenever they wanted. However, things changed with the bridge hack.
The Hack:
The quick details are thus-
- A hacker managed to infiltrate the Nomad Bridge, gaining access to the ERC20 tokens held in Nomad contracts from users who had previously swapped theirs for C3’s Cardano Native Token (CNT). An ERC20 token burn mechanism was planned when swapping to C3 CNT, but it was not possible with the bridge infrastructure.
- The hacker dumped their ERC20 on Uniswap, causing the massive sell-off spike at 19:21 EST, decreasing the ERC20 token price on Uniswap (which is what is tracked by CMC and CoinGecko)
- NO C3 CNT WERE LOST. The Milkomeda side of the transaction was not compromised and all CNTs stayed safe, as is indicative of the price seen on Minswap and Sundaeswap.
- Charli3 issued a response to not buy/sell any ERC20-related tokens, as it only helps the hacker gain more money, and that there was no decision yet as to how to manage the situation
- Users saw the massive sell-off as a profitable opportunity and started buying and selling anyway
The Problem:
The project and community investments were not affected, but what to do now with ERC20 holders since there is no bridge?
The leadership decision:
- ERC20 tokens bought post-hack will not be supported by Charli3
- A pre-hack snapshot will be taken of the holders and the amounts of C3 they held at the time
- A *future* manual bridging solution to CNT will be honored for pre-hack holders of the ERC20 C3 coin.
- Any tokens that were bought post hack will not be honored for CNT transfer. The reasoning behind this is that the tokens that were flooded back onto the market from the nomad bridge were meant to be permanently removed from circulation upon prior bridging. Allowing them to be honored for CNT transfer would disrupt the max supply by many millions of tokens, and permanently devalue the token. Furthermore, they would flood the CNT market, opening up yet another arbitrage event, lowering the value of the token, and continuing our tie to ERC20 that we no longer are supporting. That is not fair to any party nor is it responsible for us to allow that harm to the project or our community.
- Any LP providers will also be honored in their post-hack holdings of ERC20 C3 tokens, but not those gained post-hack
Future Bridging:
- Bridging solutions are not simple, and, as we’ve seen, vulnerable to attacks. A future bridging solution will be worked on when the team has the time and resources to ensure a safe option is available.
- Currently, we have high-priority work to accomplish in getting the Oracle solution ready for the main net release and the upcoming Vasil hard fork. Many projects are relying on our working oracle solution to help propel the state of defi adoption on Cardano. We must stay vigilant on the Oracle being our top priority.
- We value our early and long-term supporters and have made these decisions with everyone's best interests in mind, for the longevity of Charli3, our investors, and our community.
Additions:
- CMC now tracks the price of the CNT from Sundaeswap, and Minswap. it is NOT the price of the ERC20 token. Always check the sources first.
- CoinGecko removed the ERC20 tracker upon request and put a description saying that we are available on Cardano DEX’s. They will be implementing Cardano token tracking at a later date
- once again, C3 ERC20 Tokens help from before the hack on August 1st 2022, are SAFE. Just hold them in your ETH wallets until there is a bridge in the future.