On 1st August 2022 the Nomad bridge was hacked and within 3 hours about $190 M of funds were taken. The attack affected related projects such as EVMOS, Milkomeda and Moonbeam.
August 1st 2022
The exploits unfolds…
The exploit was spotted as unusual activity by @spreekaway, shown in this thread
It seemed that transactions were draining funds from the bridge, by sending 0.01 WBTC you could get 100 WBTC back
In theory the bridge was controlled by a transfer first being. proved and then a transaction could go through to process the movement of the funds.
So what should have been happening is that the messages submitted should have been proven, then included in a merkle tree whose root is stored and flagged as confirmed at a certain time.
What seemed to be happening is that messages were being processed that hadn’t previously been confirmed. Once the initial exploiting transaction went through, anyone could simply submit a similar transaction to drain funds for themselves.
Subsequently there were many such transactions from exploiters, white hats , along with the use of MEV techniques to take advantage of the situation.
The top 3 exploiters were
Some exploiters sent their funds through Tornado Cash to obfuscate the trail of funds.
As usual the exploited project appealed for people to return their funds.
Nomad have offered a deal to the exploiters asking for return of 90% of the funds, allowing the other 10% to be regarded as a bug bounty