Nomad Bridge’s $200 Million Exploit Postmortem

Hi, In this blog, I will be explaining about recent exploit at Nomad Bridge that took place on 1st August,2022. The total funds lost during this exploit was approximately $200 Million. It is one of the most largest hacks that Web3 has ever seen. Lets get started.

What are Nomad Bridge?

Before Understanding the Vulnerability lets understand What bridges are and how they work. A cross-chain bridge connects independent blockchains and enables the transfer of assets and information between them, allowing users to access other protocols easily. Bridges typically work by locking up tokens in a smart contract on one chain and then reissuing those tokens in “wrapped” form on another chain.

Nomad is cross-chain bridge that allows users to send and receive tokens between different blockchains like Ethereum, Moonbeam, etc.
Nomad enables applications to send data between blockchains (including rollups). Applications interact with contract to enqueue messages to be sent, after which off-chain verifiers verify and ferry these messages between chains.

Vulnerability Analysis:

Here is the link of transcations in etherscan for reference.

While looking at the transactions that have interacted with the contract, we can see that these exploits have one thing in common, they call the `process()` function in the Nomad ERC20 Bridge Contract.

The bug lied on process function of Replica.sol Contract. The process function checks that the domain of the message is correct(ie a transaction signed for evmos is meant for evmos) and checks that the message has been proven by the prover.
The code: `require(acceptableRoot(messages[_messageHash], “!proven”);`
It verifies if the transaction belonged to acceptable root. If it doesn’t then it reverts with error.

The root of message which has not been proven would be `0x00` as messages[_messageHash] would be uninitialized.

And `0x00`was now considered acceptable root in the contract.

This was because, During a routine upgrade, Nomad team initialized the trusted root to `0x00`.

Marking the zero hash as a valid root had the effect of allowing messages to be spoofed on Nomad.

Copy-Pasting transactions:

It was found that, copying the call calldata from old successful txs can be copy-pasted into fresh transactions to retrieve assets from the bridge.

This led to hundred of people to copy the transaction calldata, and just by changing the address, they can replay the attack.

samczsun in his twitter thread added :
“This is why the hack was so chaotic — you didn’t need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it”

For Educational purpose, POC for this Attack has been created by massun-onibakuchi an be found below github link.

After the Exploit:

The Nomad team acknowledged the exploit and updated the situation of the attack through Twitter Handle:

Nomad Further said that their ‘White Hat Friends’ are draining funds to help them safeguarding ETH/ERC-20 token from further exploitations, and will be returning it back to Nomad’s address.

So far, at least one individual has come out and offered to act as a white hat hacker who intends to return the funds they took from the bridge. The individual going by Notifi Bot on Twitter reached out to Nomad in a tweet stating, “This is a whitehack. I plan to return the funds.”

Thanks for Reading. Any Suggestions are always welcomed!!

Connect with me:




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Smart contract Auditor at QuillAudits. Interested in Web3 and SmartContract Security.