Nomad Bridge Drain

On August 1, 2022, the Nomad bridge was drained for roughly $190M in what immediately became known as the first "decentralised hack" — once the exploit was public, hundreds of addresses joined in by copy-pasting the original transaction and changing the recipient.

What happened

Nomad's Replica contract verified that a message's Merkle root had been previously accepted before allowing a withdrawal. A routine upgrade initialised the contract with a committedRoot of 0x00 — but the code path that checked accepted roots treated the zero value as "already accepted" rather than "not initialised."

The result: any message whose Merkle root resolved to 0x00 after hashing was valid. By manipulating the leaves, an attacker could craft a message that withdrew arbitrary tokens. The original attacker used this to drain WBTC.

The transaction was simple enough that anyone who saw it on Etherscan could change the recipient address in calldata and resend it, withdrawing the next available token batch. Hundreds of addresses did so over the next few hours.

Aftermath

• Nomad asked all participants to return funds to a recovery address. A meaningful fraction was returned — particularly by addresses that had clearly opportunistically piled on.
• The bridge was rebuilt with proper root validation and went on to operate at reduced capacity.

Why it matters

Nomad is the canonical example of a one-character bug (0 versus nonzero in a single conditional) producing catastrophic losses. It also demonstrated how, in an open mempool, an exploit that doesn't require sophistication will spread to thousands of unrelated participants within minutes.