Nomad Postmortem — CoinYield

Nomad Bridge Exploit - Post-Mortem

Overview

On August 2, 2022, the Nomad cross-chain bridge suffered a catastrophic exploit resulting in the drainage of $190M in liquidity over approximately 2.5 hours. This marked the 100th incident on the rekt.news leaderboard.

What Happened

Following a routine upgrade in June, the Replica contract was initialized with a critical vulnerability. The exploit triggered a permissionless attack where multiple actors participated in extracting funds. The incident was characterized by "word-of-mouth crowdhacking, frantic whitehat activity and MEV-bot carnage."

Technical Root Cause

The fatal flaw involved improper handling of the trusted root validation mechanism:

• The 0x00 address was set as a trusted root during the upgrade

• Transactions with a 'messages' value of 0 (invalid by legacy logic) defaulted to 0x00

• This zero address was designated as a trusted root in the upgrade

• The process() function (line 185 of the Replica contract) checks merkle root validity but inadvertently accepted these default 0x00 values as valid proofs

Key Issue: "The upgrade inadvertently caused transactions with a 'messages' value of 0 to be read by default as 0x00 which was defined in the upgrade as a trusted root, passing the validation requirement as 'proven'."

Attack Vector

1. Attacker calls process() directly without prior validation proof

2. Invalid message batches default to 0x00 address validation

3. Cross-chain messages execute as valid

4. Copycat attackers replicate the exploit by pasting the same function call via Etherscan, substituting their addresses

The Quantstamp audit completed in June had flagged a similar issue (QSP-19), with auditors noting: "We believe the Nomad team has misunderstood the issue."

Financial Impact

• Total Loss: $190M in liquidity drained

• Affected Ecosystems:

• Moonbeam TVL: $300M → $135M

• EVMOS TVL: ~$7M → ~$3M

• Milkomeda TVL: $31M → $20M

Top Three Exploiter Addresses:

• 0x56D8B635A7C88Fd1104D23d632AF40c1C3Aac4e3 ($47M)

• 0xBF293D5138a2a1BA407B43672643434C43827179 ($40M)

• 0xB5C55f76f90Cc528B2609109Ca14d8d84593590E ($8M)

Notable extractions:

• 🍉🍉🍉.eth: $4M (claimed whitehat recovery)

• Rari Capital (Arbitrum) exploiter: ~$3M in stablecoins (transferred to Tornado Cash)

Initial Failed Attempt: First exploit cost $350k in gas fees before successful execution

Remediation & Response

• Team's official acknowledgment came three hours after exploit initiation

• The Replica contract was eventually halted by "removing the Replica contract as owner"

• Critical delay prevented fund recovery

• Many exploiters claimed whitehat status, though actual fund returns remain uncertain

Related Risks Identified

The article notes that cross-chain bridges remain a systemic weak point for DeFi, particularly concerning given four of rekt.news's top five leaderboard incidents involve cross-chain attacks. The collapse created a broader confidence crisis beyond the direct financial losses.