Daniel Francis

Nomad Community Hacking

In the wake of all the hacks occurring in the DeFi space, if I have to convince you why security should be a number one priority, something is wrong. Nomad popped like a piñata, and everyone wanted in on the hacking frenzy. According to Peckshield, more than 41 addresses drained $152 million(~80%) of the stolen funds. Nomad community hacking, first time for everything.

With $190 million drained in hours, Nomad became the fifth largest DeFi hack. The Ronin bridge hack takes the number one spot with a loss of $624 million.

DeFi Llama. From $190 m to $1,794 in hours

What is a bridge?

A blockchain bridge is a technology that connects two blockchains to allow them to communicate. A blockchain bridge will enable you to engage in DeFi activities on the Ethereum network if you hold bitcoin but do not want to sell it.

What is a Nomad bridge?

Nomad is a cross-chain protocol allowing users to send tokens between Ethereum, Avalanche, Evmos, Milkomeda C1, and Moonbeam networks. The goal of Nomad is to provide the connective tissue to enable users and developers to interact securely in a multi-chain world. Not too on the nose at all.

How this happened

Nomad’s trouble began when users realized they could bridge out 0.01 WBTC, and the Ethereum transaction bridged in 100 WBTC.

It appears users could call the `process` function directly, which was able to process a message without proving it first. The process function’s purpose is to verify the communication between the cross-chain bridge. The verification failed to happen as the check in the contract didn’t recognize it as an invalid transaction. Instead, it accepted the default root `0x00` that should have gotten denied in most cases. Nomads team initialized the default root in a recent commit.

This updated bug allowed the users to transfer friends out of the protocol without verifying it was there.

“It’s like using a checkbook to withdraw funds from a bank, and the bank doesn’t verify if we hold enough money,” Adrian Hetman, tech lead of the triaging team at web3 bug bounty program Immunefi, told TechCrunch. “They only care that the check itself looks valid.”

Nomad isn’t the first to be hit by an update bug. The development team is responsible for identifying all edge cases and testing before committing. Sometimes these things are overlooked, and you lose $190 million.

Multiple Attackers

Once the initial attacker started, many users began replicating the exploit. According to Foobar on Twitter repeating the exploit was made possible since “all users had to do to hack bridge funds was copy the original hacker’s transaction call data, replace the original address with a personal one, and the tx would succeed.”

Some explicitly stated they were whitehats. It’s up to them to return whatever funds they managed to liberate.



The Nomad team has released a letter with the information that hackers can send the funds if they choose to. Now we wait.

Nomad Bridge Funds Recovery Process

Dear whitehat hackers and ethical researcher friends who have been safeguarding ETH/ERC-20 tokens,

Please send the funds to the following wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154

Nomad Bridge Funds Recovery Process

What did we learn?

Adding a fix to a protocol without verifying its impact on the entire system can be fatal. Audits identify many edge cases, but once a commit is done after the audit, the auditing team can’t precinct how that affects the contract until they review it.

Reentrancy has been exploited so commonly that almost every developer knows what to do about it.

In cross-chain systems, we haven’t built up the kind of expertise about attacks yet. People don’t know what the common attacks are, and they don’t defend against them.

It’s gonna take another year or two before developers are familiar enough with cross-chain security models to build defenses as a standard.

James Prestwich, Founder/CTO of Nomad

Before a project goes live, it should get audited, and after launch, a bug bounty program to catch anything missed by the audit. The bounty can incentivize the right people to work in your protocol’s best interest as long as the prize is valued appropriately. However, auditors shouldn’t be at the last stage of the security process. For maximum security, auditors should get factored into the planning stage of the protocol. This way, security is considered with every step of the development process. This approach could reduce the number of major hacks in DeFi every month.