Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

apegurus/nomad-bridge

Name: nomad-bridge
Author: apegurus

skills/case-studies/nomad-bridge/SKILL.md

Case study of the 2022 Nomad Bridge exploit: initialization bug draining ~$190M

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus nomad-bridge

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:21 AM158.9s1 file scanned

SKILL.md

name:: nomad-bridge
description:: Detects usage of the zero hash as a trusted value, which can be dangerous if it's the default state of an uninitialized mapping.
category:: reference
source_url:: https://rekt.news/nomad-rekt/
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: 0x0000000000000000000000000000000000000000000000000000000000000000
severity:: High

Nomad Bridge (2022)

Overview

In August 2022, the Nomad bridge was drained of approximately $190 million in a "decentralized robbery." A routine upgrade accidentally initialized the bridge's trusted root to a zero hash (0x00), allowing anyone to bypass message verification by providing a message that hashed to a value already present in the uninitialized mapping.

Root Cause

The vulnerability was introduced during a contract upgrade. The Replica contract's confirmAt mapping was intended to store the time at which a message root was confirmed. The upgrade set the default "trusted" root to 0x00. Because uninitialized storage in Solidity is 0, any message with a root of 0x00 was automatically considered "confirmed" by the contract. This allowed users to submit withdrawal messages with arbitrary data that would be executed without valid signatures.

Attack Flow

Attacker noticed that the Replica contract accepted messages with a root of 0x00.
Attacker crafted a message to withdraw funds from the bridge.
Attacker submitted the message to the process function.
The contract checked if the message's root was confirmed. Since the root was 0x00 and the mapping returned 0 (or a value that passed the check), the message was processed.
Once the first attack was public, hundreds of other users (copycats) simply copied the transaction data, changed the recipient address, and drained the remaining funds.

Impact

Loss: ~$190M
Protocol: Nomad Bridge
Chain: Ethereum / Moonbeam / Evmos / etc.
Date: 2022-08-01

Key Transactions

First Attack tx: 0xa5ce309047a92177ad43c03f1f13a87339e38c89509cf5564d79775c4456cf92

Detection Heuristics

Pattern 1: Trusting a zero value (0x00 or 0) in a mapping that is also the default state for uninitialized entries.
Pattern 2: Lack of explicit checks to ensure that a root or hash is not the zero value before processing sensitive operations.

Remediation

Fix 1: Explicitly initialize trusted roots to a non-zero value or use a separate boolean mapping to track confirmation.
Fix 2: Add a require(root != bytes32(0)) check in the message verification logic.
Fix 3: Implement more rigorous testing for contract upgrades, specifically checking the state of critical storage variables.

References

rekt.news/nomad-rekt/
medium.com/nomad-xyz-blog/nomad-bridge-hack-post-mortem-e6f630cf3b7f

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/case-studies/nomad-bridge ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

apegurus/nomad-bridge

skills/case-studies/nomad-bridge/SKILL.md

Case study of the 2022 Nomad Bridge exploit: initialization bug draining ~$190M

data-ai

Updated May 13, 2026

$ install --global

skillsauth

npx skillsauth add apegurus/solidity-argus nomad-bridge

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 13, 2026, 3:21 AM158.9s1 file scanned

SKILL.md

name:: nomad-bridge
description:: Detects usage of the zero hash as a trusted value, which can be dangerous if it's the default state of an uninitialized mapping.
category:: reference
source_url:: https://rekt.news/nomad-rekt/
source_license:: CC0
imported_at:: 2025-02-20T00:00:00Z
- regex:: 0x0000000000000000000000000000000000000000000000000000000000000000
severity:: High

Nomad Bridge (2022)

Overview

Root Cause

Attack Flow

Attacker noticed that the Replica contract accepted messages with a root of 0x00.
Attacker crafted a message to withdraw funds from the bridge.
Attacker submitted the message to the process function.
The contract checked if the message's root was confirmed. Since the root was 0x00 and the mapping returned 0 (or a value that passed the check), the message was processed.
Once the first attack was public, hundreds of other users (copycats) simply copied the transaction data, changed the recipient address, and drained the remaining funds.

Impact

Loss: ~$190M
Protocol: Nomad Bridge
Chain: Ethereum / Moonbeam / Evmos / etc.
Date: 2022-08-01

Key Transactions

First Attack tx: 0xa5ce309047a92177ad43c03f1f13a87339e38c89509cf5564d79775c4456cf92

Detection Heuristics

Pattern 1: Trusting a zero value (0x00 or 0) in a mapping that is also the default state for uninitialized entries.
Pattern 2: Lack of explicit checks to ensure that a root or hash is not the zero value before processing sensitive operations.

Remediation

Fix 1: Explicitly initialize trusted roots to a non-zero value or use a separate boolean mapping to track confirmation.
Fix 2: Add a require(root != bytes32(0)) check in the message verification logic.
Fix 3: Implement more rigorous testing for contract upgrades, specifically checking the state of critical storage variables.

References

rekt.news/nomad-rekt/
medium.com/nomad-xyz-blog/nomad-bridge-hack-post-mortem-e6f630cf3b7f

Related Skills

apegurus/vector-scan

testing

VerifiedTrustedCommunity

Specialist profile for mechanically applying the attack-vector deck and classifying vectors as skip, drop, or investigate.

SKILL.mdUpdated May 30, 2026

apegurus/periphery

tools

VerifiedTrustedCommunity

Specialist profile for libraries, helpers, base contracts, adapters, encoders, wrappers, and integration glue.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

testing

VerifiedTrustedCommunity

Specialist profile for rounding, scale, decimal, downcast, and arithmetic accounting edge cases.

SKILL.mdUpdated May 30, 2026

apegurus/math-precision

apegurus/invariant

testing

VerifiedTrustedCommunity

Specialist profile for extracting conservation laws and state couplings, then searching for violating paths.

SKILL.mdUpdated May 30, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/apegurus/solidity-argus.git

# Copy into Claude Code skills folder (global)
cp -r solidity-argus/skills/case-studies/nomad-bridge ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

apegurus/solidity-argus

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT