Nomad Bridge hack
The Nomad token bridge was drained of about $190M in August 2022 in a chaotic 'free-for-all' after a flawed upgrade let users replay other people's withdrawal messages by copying transactions.
Also known as: Nomad, Nomad Bridge
Summary
Nomad was a cross-chain token bridge. In August 2022 a flawed smart-contract upgrade effectively treated unverified messages as valid, allowing anyone to drain funds by copying an exploiter's transaction and substituting their own address. The result was a chaotic "free-for-all" in which hundreds of addresses participated, draining roughly $190 million. [1][2]
Aftermath
Nomad asked participants to return funds, designated a recovery wallet, and offered to treat those who returned at least 90% as "white hats"; a portion of the funds was recovered. [1][2]
Bracketed numbers refer to the numbered sources listed below.
Linked scams & cases
- BadgerDAO front-end attackRelatedProjectsA DeFi protocol whose users lost about $120M on December 2, 2021 — not via a smart-contract bug but a front-end attack: a compromised Cloudflare API key let attackers inject a script that tricked users into approving malicious token allowances, then drained their wallets.
- Wormhole bridge hackRelatedProjectsThe Wormhole bridge between Solana and Ethereum was exploited for about $325M (120,000 wETH) in February 2022 after a signature-verification flaw let the attacker mint unbacked tokens. Backer Jump Crypto replenished the funds.
People & entities involved
Sources (2)
See also
- Loci (LOCIcoin)TokensA 2017–2018 ICO for 'LOCIcoin' tied to the InnVenn IP-search platform. The SEC charged Loci and CEO John Wise with fraud for raising $7.6M on false claims about revenue, headcount, and user base; Wise also misused investor funds. Settled with a $7.6M penalty and an officer/director bar.
- Blockchain Terminal (BCT)TokensA 2017–2018 ICO (BCT tokens, ~$30M) for a 'Blockchain Terminal' — a Bloomberg-style crypto trading terminal. The SEC and DOJ said convicted ex-hedge-funder Boaz Manor secretly ran it under a fake identity ('Shaun MacDonald'), using associate Edith Pardo as a front, and lied about the product's adoption.
- Crowd Machine (CMCT)Tokens
This page was last updated on Jun 8, 2026. View revision history.