Nomad Bridge: Initialisation Error — Zero-Address Trusted Root (Merkle Proof Bypass)
Nomad Bridge's routine upgrade accidentally set the zero address as a trusted Merkle root, making every message valid by default — turning a sophisticated bridge hack into a permissionless free-for-all where anyone could copy-paste the exploit tx and drain $190M over 2.5 hours.
Summary #
Nomad Bridge suffered a Cross-chain Bridge on 2022-08-02, resulting in a loss of approximately $190M.
What happened #
Nomad Bridge's routine upgrade accidentally set the zero address as a trusted Merkle root, making every message valid by default — turning a sophisticated bridge hack into a permissionless free-for-all where anyone could copy-paste the exploit tx and drain $190M over 2.5 hours.
Linked factors #
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited upgrade (initialisation parameter)]
- RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — Replica contract upgraded June 2022]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action (Y/N): Y — June upgrade that introduced the bug]