The $190 Million Nomad Bridge Heist: How a 0x00 Bug Enabled a Mass ‘Zero‑Cost’ Grab

In June 2022 Nomad upgraded its bridge contract and introduced a Replica contract without a proper security audit. During the upgrade the developer mistakenly set trustedRoot to 0x00, which in the contract logic acts as a universal key that bypasses all message verification.

The vulnerability meant any message with a Merkle proof would be accepted if the stored root equaled 0x00. This is analogous to leaving a door’s “blank card = open” rule in place after a lock change.

On August 1, an attacker sent a test transaction: depositing 0.01 ETH and immediately withdrawing 100 ETH. The transaction was recorded on‑chain, and within hours more than 300 addresses copied the raw transaction data, changed the recipient address to their own wallets, and replayed it against the bridge. Because the contract saw 0x00 it trusted every message and released the funds without any cryptographic check.

The attack required no zero‑day exploit, no deep code knowledge—just copy‑paste. By the end of the day the bridge had lost almost $190 million, with most participants unaware they were “using a feature” rather than being directly hacked.

After the breach, Nomad called for refunds. Some white‑hat actors returned about $32.6 million, but the majority of participants vanished. The public nature of blockchain allowed investigators to trace the flows. In August 2023 the U.S. Department of Justice filed charges against several suspects, and by 2025 arrests were made, including Alexander Gurevich, identified as the initiator of the 0.01 ETH demo transaction.

The incident yields four key lessons: (1) code audits are essential; skipping them can cost hundreds of millions. (2) Simple bugs can enable a “decentralized robbery” where many low‑skill actors exploit a flaw simultaneously, shrinking the response window for defenders. (3) Blockchain anonymity is a myth—on‑chain data is transparent and traceable, enabling law‑enforcement action. (4) Regulatory pressure is increasing, as shown by the FTC’s 2025 enforcement order against Nomad’s parent company.

Overall, the Nomad bridge hack demonstrates that a single mis‑initialized variable can open a Pandora’s box, and that both red‑team (attack) and blue‑team (defense) perspectives are needed to understand and mitigate such systemic risks.