Nomad Bridge — open-door exploit

What happened

On 1 August 2022, the Nomad cross-chain bridge was drained of approximately $190 million in a chaotic multi-hour exploit involving over 300 distinct wallet addresses. Unlike virtually every other major bridge exploit, this was not the work of a single sophisticated attacker. A single vulnerability — an initialisation error in a recent contract upgrade — made every withdrawal transaction valid, and once the first exploiter demonstrated how to claim funds, the technique was copied wholesale by hundreds of opportunists who simply modified the recipient address and resubmitted the transaction.

Total losses were approximately $190 million. Nomad subsequently negotiated with participants who had taken funds, designating them “white hats” if they returned assets voluntarily and offering a 10% bounty. Approximately $36 million was returned. The bridge did not resume operation in its original form. The incident is unique in the history of DeFi exploits as the only major theft carried out by a largely unskilled crowd rather than a determined individual or organised group.

How it worked

Nomad’s security model relied on a “Merkle root” — a cryptographic fingerprint of all legitimate transfer messages processed by the bridge. Incoming transfer messages were verified by checking them against this trusted root: only messages that matched the root’s history of approved transfers would be accepted.

During a routine contract upgrade, engineers initialised the committedRoot storage variable — the trusted root — to 0x00 (the zero value). In the Nomad contract’s validation logic, a message was considered valid if it had previously been processed or if it matched the committed root. Because the committed root was now zero, and because the EVM’s default value for uninitialised storage is also zero, the validation function evaluated to true for any message that had the zero value in the right field. In effect, the condition “does this message’s root match the trusted root?” was answered “yes” for every message ever submitted, because every message’s root defaulted to zero and zero equals zero.

This is a logical trivialisation: a security check that is supposed to distinguish legitimate from illegitimate messages instead accepts everything. The attacker did not need to forge a signature, find a cryptographic collision, or reverse-engineer the contract’s internal state. They only needed to submit a withdrawal message — any withdrawal message — with valid formatting. The contract would approve it.

The first exploit transaction was submitted and the attacker received funds. The transaction was visible on the public Ethereum mempool and in block explorers within seconds. A second wave of addresses submitted near-identical transactions within minutes — not by independently discovering the vulnerability but by observing the first transaction and copying its structure, substituting their own recipient address. This wave then attracted a third wave of observers doing the same thing. The bridge emptied through roughly three hours of cascading copy-paste activity.

The behaviour of the crowd was directly shaped by the economic structure of public blockchains: all transactions are visible, all data is readable, and the cost of submitting a transaction is denominated in fractions of a cent. Once the first transaction demonstrated that the bridge would pay out, the information asymmetry disappeared. The exploit became fully democratised.

Timeline

• 21 April 2022 — Nomad’s contract upgrade is deployed, initialising committedRoot to zero. The flaw is introduced but not immediately noticed.
• 1 August 2022, ~21:32 UTC — First exploit transaction submitted. An attacker claims a large amount of WBTC from the bridge.
• 1 August 2022, ~21:45 UTC — Second and third addresses begin submitting copied transactions. The exploit is visible in block explorers.
• 1 August 2022, ~22:00 UTC onward — Hundreds of addresses participate. The bridge drains in cascading waves across approximately three hours as liquidity is exhausted.
• 2 August 2022 — Nomad takes the bridge offline and publishes a statement confirming the exploit. The team contacts law enforcement and blockchain analytics firms.
• August–September 2022 — Nomad begins negotiating with participants, designating some as white hats and offering 10% bounty for voluntary return. Approximately $36M returned.
• Bridge does not resume in original form. Nomad works with new auditors on a rebuilt architecture but does not restore the previous product at scale.

What defenders should learn

The Nomad incident is a canonical change-management failure. The vulnerability was not in the original bridge design — it was introduced in a production deployment that initialised a critical security variable to a logically permissive default value. The question every production deployment should require an answer to is: “what is the consequence if any storage variable in this upgrade is set to its zero or default value?” For most variables the consequence is tolerable; for a trusted root that gates all bridge withdrawals, the consequence is total loss.

Testing discipline is the second failure. A deployment to a mainnet contract holding $190 million should be preceded by testing on a production-equivalent fork with meaningful coverage of the initialisation state. The specific failure mode here — a zero-initialised security root that accepts everything — would have been caught by any test that attempted an unauthorised withdrawal after the upgrade. The absence of that test is the proximate cause.

The “copy-paste crowd” dynamic carries a distinctive lesson for how protocols should think about disclosure windows. In a traditional software context, a zero-day vulnerability is a secret known only to the discoverer until it is either patched or disclosed. In a public blockchain, the moment the first exploit transaction lands on-chain, the vulnerability is fully disclosed to the entire world simultaneously. There is no patch window after the first exploit — only a race to drain the contract before it is paused. Protocols must invest in automated monitoring systems capable of detecting anomalous withdrawal patterns and triggering emergency pauses within seconds, not minutes.

Finally, the incident is a useful corrective to the assumption that DeFi exploits require sophisticated attacker capability. The bridge was emptied largely by people with no special skill who simply copied a transaction they saw on a block explorer. Security architectures that hold hundreds of millions of dollars must be designed to withstand not just state-sponsored adversaries and expert cryptographers, but anyone with an Ethereum wallet and a browser tab open on Etherscan.