On August 1, 2022, the Nomad cross-chain bridge was drained of approximately $190 million in a chaotic ‘free-for-all’ exploit. A recent routine upgrade had inadvertently set the ’trusted root’ in Nomad’s Replica smart contract to 0x00 (zero bytes) — because any message with a zero-byte proof would be treated as valid, it made it trivially easy for anyone to claim false cross-chain messages. The initial exploiter demonstrated the attack, and the transaction was visible on-chain. Within minutes, hundreds of copycat attackers — ranging from sophisticated DeFi hackers to opportunistic users who simply copy-pasted the exploit transaction — joined in, draining the bridge of essentially all its funds. The incident was notable for its ‘chaotic’ and decentralized nature, as most previous DeFi exploits were carried out by a single sophisticated attacker. Some ‘white hat’ users also drained funds claiming to safeguard them, and Nomad later issued a call for return of funds. Approximately $36 million was eventually returned by white hat rescuers. The bug was introduced in a governance upgrade and had passed an audit — demonstrating that even audited upgrades can introduce critical vulnerabilities. Nomad subsequently raised funds to compensate affected users at approximately 18 cents per dollar lost.