The Nomad Bridge Attack and the Mystery of Uniswap V2

By Riyad Carey

Anyone who’s seen Ocean’s Eleven knows that the best heists involve a diversion. This week, the Nomad Bridge, which connects Ethereum, Avalanche, Moonbeam, Evmos, and Milkomeda C1, was the target. This exploit was unique in that many people were able to join in and drain funds with a little technical know-how; some whitehats removed funds from the pool to protect them as it became clear that the bridge would be robbed of almost everything.

This exploit was kicked off by four transactions in the same block:

Two of the four transactions simply removed the wBTC. Curiously, two didn’t, instead routing the wBTC directly into Uniswap V2 and losing over $500k and $1mn in slippage in the process. We’ll come back to this.

Two transactions show the hacker moving 100 wBTC from Nomad to Uniswap V2. Source: Etherscan

One minute later, there was another 100 wBTC swap, again incurring about $500k in slippage.

Another transaction moving 100 wBTC to Uniswap V2, swapping for wETH. Source: Etherscan

About 20 minutes later, one of the four wallets that had originally just drained wBTC from Nomad followed suit, withdrawing and sending 300 wBTC to Uniswap V2, this time losing over $3mn in slippage.

300wBTC swapped for wETH on Uniswap V2. Source: Etherscan

In total there were four large swaps of wBTC for wETH, which we can visualize in trade data pulled directly from Uniswap V2 [see: Kaiko DEX coverage]. After each large wBTC sell came a corresponding buy from an arbitrager, which automatically picked up the massive divergence in prices.

All four “sell” swaps for wBTC instantly triggered a corresponding “buy”, which we can observe in the trade data pulled directly from Uniswap V2.

The question thus becomes why separate wallets, presumably operated by someone or a group of people with enough technical skill to exploit a bridge, would send some of their loot to Uniswap V2 instead of V3. As shown below, Uniswap V2’s wBTC-wETH pool has the equivalent of just over $15mn in total liquidity (~330 wBTC and ~4,700 wETH); these two transactions alone represent about 2/3 of the pool’s liquidity. For context there was over $300mn in TVL across all wBTC pairs on V3, including $270mn on the largest wBTC-wETH pair.

The wBTC-wETH pool on Uniswap V2 is relatively illiquid compared with Uniswap V3, containing the equivalent of just $15mn TVL.

These transactions were clearly anomalous. For the previous month, daily volume on the Uniswap V2 wBTC-wETH pool was the equivalent of just $300-$400k. On the day of the Nomad hack, volume spiked to more than $18mn despite limited liquidity to support the swaps.

What happens when huge transactions are routed through a pool with not enough liquidity? Large price swings. The price of wBTC in terms of wETH on Uniswap V2 was cut in half during each of these transactions.

We can see the direct impact of these swaps on the price of the wBTC pair. With each exploiter sell there were corresponding arbitrage buys at extremely low prices.

The price of wBTC denominated in wETH plummeted following each large sell.

This huge price imbalance benefited bots that could arbitrage between Uniswap V2 and V3. Seen below is a wallet turning 684 ETH into 100 BTC into 1,418 ETH, for a cool profit of 732 ETH or about $1.2mn USD.

Arbitrage bots automatically picked up on the price divergence, netting huge profits. Source: Etherscan.

This brings us back to our question of why? Why would someone or some people send stolen wBTC to Uniswap V2 instead of V3? A 300 wBTC swap on V3 wouldn’t even hit 0.5% price impact, a far cry from the 50% the exploiter dealt with on V2.

There are a few possibilities. The first is that they didn’t really care. Wrapped Bitcoin was just the tip of the iceberg in the exploit, as over $190mn in total was stolen. Maybe when you’re draining tens of millions of dollars worth of tokens from a bridge a couple million lost on slippage is no big deal. But that just doesn’t seem right.

My first instinct was that the real target of the hack wasn’t the bridge but the arbitrage profit in what would be the Web 3 version of money laundering. These days it’s getting harder and harder to launder stolen crypto, as shown in April by Tornado Cash’s announcement that it would be blocking Ethereum addresses sanctioned by OFAC. Additionally, on-chain tracking is continually improving and there’s no guarantee of complete anonymity when using a mixer like Tornado Cash. The only clean profit in this whole saga came from the arbitrage between V2 and V3. It doesn’t appear to be illegal to close the difference in price across DEXs and make millions of dollars in the process (I’m not a lawyer).

As intriguing as this hypothesis is, as pointed out by Romain Saradjian, Kaiko’s On-Chain Data Product Owner, bot operators are never sure they will arbitrage a specific transaction, and it’s nearly impossible to aim for a specific arbitrage.

So again we’re left with the mystery of why Uniswap V2 instead of V3. Perhaps Hanlon’s razor is the best explanation: “never attribute to malice that which is adequately explained by stupidity.”