Nomad Bridge Hack (2022).

An August 2022 attack on the Nomad cross-chain bridge where a single misconfigured trusted-root value allowed any user to copy-paste an existing withdrawal transaction with a different recipient — a chaotic ~$190 million crowd-drain. Cette notion relève de la catégorie Web3 et blockchain en cybersécurité.

An August 2022 attack on the Nomad cross-chain bridge where a single misconfigured trusted-root value allowed any user to copy-paste an existing withdrawal transaction with a different recipient — a chaotic ~$190 million crowd-drain.

The Nomad bridge was hacked on 1 August 2022 in one of the most chaotic incidents in Web3 history. Nomad had recently upgraded a contract and, in the process, mistakenly initialized a trusted-root value to `0x00`, which had the side effect of treating every unproven message as already valid. Anyone who saw the first attacker's successful withdrawal transaction could copy it, swap the destination address for their own, and broadcast — and the contract would dutifully pay out. As word spread on Twitter and Telegram, hundreds of independent addresses (including many one-off opportunists who would normally never touch a bridge exploit) began draining the contract simultaneously. By the time Nomad's team pulled the bridge offline, roughly $190 million had been removed. A subsequent recovery campaign asked the 'whitehat' subset of drainers to return funds; about a third of the value was recovered. The Nomad case is a canonical example of how a single misconfigured constant in a bridge contract can produce a 'crowd-sourced' exploitation pattern unique to public-blockchain incidents.

Les défenses contre Nomad Bridge Hack (2022) combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : Nomad hack, Nomad chaotic drain.