Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Back to all case studies
Bridge Exploit
2022-08-01~$190M

Nomad Bridge Exploit

August 2022 — optimistic-bridge verification bug enables 'free-for-all' looting; ~$190M drained by hundreds of copycat addresses.

Nomad was an 'optimistic' cross-chain bridge protocol — a design pattern where bridge messages are considered valid by default and challenged only if an observer detects fraud. The optimistic design was intended to be more efficient and trust-minimised than alternatives. On August 1, 2022, an upgrade to Nomad's smart contract introduced a verification bug that, in effect, made every message bridge with a 'zero' trusted root pass verification regardless of its actual contents.

The exploit pattern was unusual: once one researcher noticed the bug and successfully drained funds, the exploit method was publicly visible on-chain. Hundreds of other addresses immediately copied the exploit transaction, replacing only the destination address with their own, and drained additional funds. The 'free-for-all' nature — where exploiting required only copy-pasting a public transaction — produced an unusual decentralised exploit pattern: ~$190M total drained across hundreds of independent actors rather than concentrated in a single attacker.

Subsequent recovery efforts focused on appealing to the broader exploiter pool (many were opportunistic Ethereum-savvy users rather than sophisticated attackers) to return funds. Approximately $36M was voluntarily returned within weeks. The Nomad team and Nomad's protocol were substantially damaged; the broader optimistic-bridge category lost institutional trust.

Timeline

  1. 2022-04
    Nomad mainnet launches with optimistic-bridge architecture.
  2. 2022-04 to 2022-07
    Nomad accumulates ~$190M in TVL across multiple supported chains (Ethereum, Avalanche, Moonbeam, Evmos).
  3. 2022-08-01
    Routine smart-contract upgrade is deployed. The upgrade includes initialisation code that sets a critical 'trusted root' to zero.
  4. 2022-08-01 (~14:30 UTC)
    First exploit transaction confirms; researcher's address drains ~$2M from the bridge.
  5. 2022-08-01 (next ~hour)
    Exploit transaction becomes publicly visible on-chain; copycat exploiters begin replicating the call with substituted destination addresses.
  6. 2022-08-01 (~end of day)
    Approximately $190M drained from bridge contracts across hundreds of addresses; bridge operations halted.
  7. 2022-08-02
    Nomad team publicly acknowledges the exploit and posts a fund-recovery address asking exploiters to return funds.
  8. 2022-08-15
    Approximately $36M voluntarily returned to the recovery address.
  9. 2022-Q4 to 2023
    Bridge remains offline; Nomad team works on broader recovery plan with the new bridging design.

Mechanism

The optimistic-bridge model. Nomad's bridge model treated cross-chain messages as valid by default. When a user wanted to bridge tokens from chain A to chain B, the protocol would: (a) lock the tokens on chain A; (b) post a 'message' to chain B claiming the lock; (c) after a challenge window, allow the user to withdraw the corresponding tokens on chain B. The challenge window allowed honest observers to flag fraudulent messages; in their absence, messages were assumed valid.

The verification function. Nomad's `process` function (the function exploited) was supposed to verify that an incoming message had a valid Merkle proof against a trusted root. The verification logic required the trusted root to match the root stored in the contract state.

The bug. A smart-contract upgrade on August 1 included initialisation code that set the trusted root to `0x00` — the zero hash. The intended behaviour was apparently to disable a specific verification path while transitioning to a new system; the actual effect was that any message with a 'proof' against the zero root passed verification. The default uninitialised value for any 32-byte hash is zero; any message could be constructed with a 'zero proof' that matched the (now-zero) trusted root.

The exploit construction. An exploiter constructed a `process` call with: (a) a message claiming a large deposit on the source chain; (b) a 'proof' consisting of empty/zero bytes; (c) a destination address controlling the exploiter's wallet. The contract verified the proof against the zero root, accepted the message, and released the claimed amount to the destination address. The exploit cost minimal gas and could be repeated indefinitely until the bridge's locked funds were exhausted.

The decentralised exploit. Because the exploit was trivially copyable from on-chain transaction data, hundreds of independent addresses participated in the draining within hours. Many participants were not sophisticated attackers but opportunistic users who saw a public profitable exploit and clicked 'copy transaction' with their own address substituted. The result was a single-event $190M loss spread across hundreds of beneficiaries — a different distribution structure than typical exploit losses concentrated in a single attacker.

Impact

The Nomad exploit substantially damaged confidence in optimistic-bridge architectures. While the specific bug was an implementation error rather than a flaw in the optimistic-bridge concept, the visible failure of the implementation produced general scepticism about the architecture. Wormhole (which had its own February 2022 exploit), Multichain (which collapsed in July 2023), Ronin (March 2022, $625M), and Nomad together accumulated ~$1.4B in 2022-2023 bridge losses and pushed the industry toward more battle-tested bridge designs (LayerZero, Axelar, Hyperlane, Across). The 'free-for-all' nature of the Nomad exploit also became a teaching example — once a bug is on-chain, every participant in the ecosystem can exploit it, and the cost of remediating a public bug is fundamentally limited.

Operational lessons

  1. 1Initialisation defaults matter. The zero-value default for the trusted root was the load-bearing fact in the Nomad exploit. Production deployment scripts should explicitly verify that all storage variables are initialised to intended values, not rely on default-zero behaviour.
  2. 2Upgrades require equivalent audit rigor to initial deployment. The Nomad upgrade that introduced the bug had less scrutiny than the original deployment. Post-Nomad, the industry's standard for upgrade-process audit has tightened materially.
  3. 3Bridge contracts are concentrated honey-pots. Any cross-chain bridge holds large locked-asset balances and is a high-value target. Bridge design should assume sustained attack pressure and budget for substantial security investment.
  4. 4'Optimistic' security models require active monitoring. Optimistic bridges depend on observers flagging fraud; if no observers exist, the optimistic assumption fails. The Nomad bug was technically detectable but no observer was monitoring in real-time when the upgrade landed.
  5. 5Once a bug is on-chain, it's everyone's bug. The Nomad exploit's free-for-all dynamic showed that on-chain bugs cannot be 'discreetly' exploited by a single party; the moment the bug is exercised, it becomes public, and the entire ecosystem can replicate the exploit until the underlying contract is paused or drained.

Aftermath

Nomad's team continued operating post-exploit and worked on a new bridge architecture; the original bridge implementation was abandoned. Voluntary returns totalled approximately $36M of the $190M lost; the remainder was not recovered. The Nomad case is widely cited in bridge-security curricula and contributed substantially to the post-2022 industry shift toward more conservative bridge designs with explicit security budgets. No criminal charges have been publicly brought against the largest exploiters; many of the smaller copycat addresses appear to have been opportunistic users rather than organised actors. The case is also a reference for the broader debate about exploit-attribution and 'white-hat' framings — several exploiters publicly claimed white-hat status while retaining funds, blurring the line between legitimate research and theft.

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Related on Block Clarity Hub

Case Studies — Wormhole Bridge Exploit
Case Studies — Ronin Bridge Hack
Course — Developer Intro (Access Control lesson)
Spotted an error? Report it on GitHubour correction policy