Cross-chain messaging protocol Nomad, which was exploited for $190 million back in August, is preparing to relaunch and provide partial refunds to affected users.
In a recent blog post, the Nomad protocol team announced that the project had upgraded the Nomad protocol to fix the vulnerability that caused the hack and to allow users to bridge back madAssets and access a pro-rata share of recovered funds.
The team added that they implemented a redesign for the token bridge and the “first people to bridge back their madAssets would receive canonical tokens on a one-to-one basis until there were no canonical tokens left.”
Furthermore, the team has implemented protocol changes to give users the ability to bridge back and access a pro-rata share of recovered funds, ensure the tokens accessed from bridging back are in the original token and provide a mechanism for impacted users to access future recovered funds.
“Given the scope of these changes, a full audit of the smart contracts was completed along with an additional re-review of any remediations with our auditors. We expect to be able to share a summary of the audit publicly in the upcoming weeks,” the team said.
Meanwhile, users need to complete the Know Your Customer (KYC) verification process via CoinList in order to apply for reimbursements. Nomad has said that the process is crucial in order to verify the payments adhere to the compliance norms.
Users will get an NFT that accounts for the proportional share of recovered funds on Ethereum after completing the KYC process. Moreover, the NFTs are non-transferable and will allow users to receive the remaining funds that are recovered in the future.
As reported, Nomad, which allows users to send and receive tokens between different blockchains, was drained of around $190 million earlier this year after experiencing a security exploit that allowed bad actors to spoof messages.
At the time, Sam Sun, Head of Security at Paradigm, the hack was possible because “the Nomad team initialized the trusted root to be 0x00” during an upgrade, which had the “side effect of auto-proving every message.”
“This is why the hack was so chaotic – you didn’t need to know about Solidity or Merkle Trees or anything like that,” Sun added. “All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it.”
Read the full article here