The Nomad bridge was just exploited for 165m
Currently, the details of the hack are unknown and this is not a post-mortem.
However, here are some details about the hack
👇 🧵 (1/12)
Currently, the details of the hack are unknown and this is not a post-mortem.
However, here are some details about the hack
👇 🧵 (1/12)
Two hours ago, Nomad had a tvl of 165m dollars according to defillama. defillama.com/protocol/nomad 
Currently, there are 18 million dollars left in the contract, which will probably be drained in the next few hours.
Looking at the transactions that have interacted with the contract, we can see that all of these exploits have one thing in common, they call the `process()` function in the Nomad ERC20 Bridge Contract.
Now, the process function is as follows:
- It checks that the domain of the message is correct(ie a transaction signed for evmos is meant for evmos)
- It checks that the message has been proven by the prover
- It calls the handler to do what the message wants(ie bridge tokens)
- It checks that the domain of the message is correct(ie a transaction signed for evmos is meant for evmos)
- It checks that the message has been proven by the prover
- It calls the handler to do what the message wants(ie bridge tokens)
Unfortunately, if you try to replay the same contract call the execution will be reverted. Why? You shouldn't be able to withdraw something twice.
According to this thread, the bridge seems to allow the user to pass in an arbitrary amount when they withdraw that does not necessarily correlate with the amount they deposited into nomad on the other chain.
https://twitter.com/0xmagnetized/status/1554246763736813568
However, it seems like some generalized MEV frontrunning bots were able to replay the old attacks and withdraw massive amounts of WETH/WBTC
If you know how to do this, please DM me lmao
If you know how to do this, please DM me lmao
If you have any funds in @nomadxyz_, @EvmosOrg, @MoonbeamNetwork, or @milkomeda_com, you need to swap out of nomad assets and use a different bridge to bridge back to Ethereum or another chain asap.
Nomad has been chosen as the canonical bridge for @EvmosOrg, @MoonbeamNetwork, and @milkomeda_com, you need to get all of your assets off these chains immediately.
Nomad has also paused the relayer and is trying to censor all bridging transactions using the watcher, however, this is likely little help since the exploit was on the contract side and not on the infra side.
If you have any more info about the hack, please DM me or post it in the nomad discord. We want this to be a good outcome for everyone(except the hackers)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
