Nomad bridge has been drained of all funds after a recent bridge exploit caused by a vulnerability in the bridge contract that allowed it to accept arbitrary root hashes. This allowed several entities to withdraw large amounts of assets from the bridge unchecked, as confirmed by Evmos. Currently, Nomad is paused, so users cannot withdraw their ERC20 wrapped assets from Evmos back to Ethereum.
This exploit was made possible because, during a recent routine upgrade, the Nomad team initialized the trusted root to be 0x00. This unfortunately had a side-effect of auto-proving every message. Therefore hackers didn’t need to know about Solidity or Merkle Trees or anything like that. All they had to do was find a transaction that worked, find/replace the other person’s address with yours, and then re-broadcast it. Twitter user @samczun explains the full details of the hack in this thread
The attack also appeared to initially affect moonbeam and soon after the hack, Moonbeam announced it has entered maintenance mode to investigate the issue but has since resumed full functionality as it became evident that the security threat was not related to the moonbeam codebase but the Nomad bridges to moonbeam.
About Nomad
Nomad is an optimistic interoperability protocol that enables secure cross-chain communication that allows for a variety of cross-chain transations
Using Nomad:
Users can bridge tokens between chains
Asset issuers can deploy tokens across chains
DAOs can facilitate the execution of cross-chain governance proposals
Developers can build native cross-chain applications (xApps)
Learn More