The Nomad Bridge Hack Explained

Thanks to Rekt and @samczsun for their insights.

On 1st August 2022 the Nomad bridge was hacked and within 3 hours about $190 M of funds were taken. The attack affected related projects such as EVMOS, Milkomeda and Moonbeam.

August 1st 2022

The exploits unfolds…

The exploit was spotted as unusual activity by @spreekaway, shown in this thread

It seemed that transactions were draining funds from the bridge, by sending 0.01 WBTC you could get 100 WBTC back

In theory the bridge was controlled by a transfer first being. proved and then a transaction could go through to process the movement of the funds.

So what should have been happening is that the messages submitted should have been proven, then included in a merkle tree whose root is stored and flagged as confirmed at a certain time.

What seemed to be happening is that messages were being processed that hadn’t previously been confirmed. Once the initial exploiting transaction went through, anyone could simply submit a similar transaction to drain funds for themselves.

Subsequently there were many such transactions from exploiters, white hats , along with the use of MEV techniques to take advantage of the situation.

The top 3 exploiters were

0x56D8B635A7C88Fd1104D23d632AF40c1C3Aac4e3 ($47M) 0xBF293D5138a2a1BA407B43672643434C43827179 ($40M) 0xB5C55f76f90Cc528B2609109Ca14d8d84593590E ($8M)

Some exploiters sent their funds through Tornado Cash to obfuscate the trail of funds.

As usual the exploited project appealed for people to return their funds.

Nomad have offered a deal to the exploiters asking for return of 90% of the funds, allowing the other 10% to be regarded as a bug bounty