Nomad Bridge Hack 2022 — $190M Exploit Analysis

A faulty initialization set a trusted root to 0x00, allowing anyone to spoof any message, leading to a chaotic free-for-all drain.

Details

Full Description

During a routine upgrade, Nomad's Replica contract was initialized with 0x0000...0000 as a trusted root. This meant any message with a body of 0x00 would pass verification. Once discovered, hundreds of copycat attackers replayed the original transaction with their own addresses, draining the bridge in a chaotic swarm attack with 300+ unique addresses.

Laundering Analysis

Funds distributed across hundreds of wallets. Some 'white-hat' participants returned approximately $36M voluntarily. Remaining funds routed through Tornado Cash and cross-chain bridges. Nomad offered 10% bounty for return of funds. Attacker identities largely unknown due to scale of copycat participation.

Sources

Transaction Hashes

Related Hacks

Back to Browse