L2BEAT Bridges is a work in progress. You might find incomplete research or inconsistent naming. Join our discord to suggest improvements!

Nomad logoNomad

This project is archived.
The Nomad token bridge contract has recently been exploited and currently is not operational.
  • Total value locked$4.73 K0.83%
  • Destination
  • Validated by
  • TypeToken Bridge

  • ...



    The Nomad token bridge contract has recently been exploited and currently is not operational.

    Nomad is a general messaging bridge that uses optimistic verification to validate cross-chain bridging transactions.

    If you find something wrong on this page you can submit an issue or edit the information.

    Risk summary

    Note: This project's overview requires more research and might not present accurate information. If you want to contribute you can edit the information on Github. Alternatively you contact the project team on Twitter and encourage them to contribute a PR.


    Principle of operation

    Nomad Bridge is a Token Bridge with ability to facilitate fast transfers via additional LP-provided liquidity. For deposits, it locks tokens in the escrow contracts on Ethereum and mints a "representation token" on the destination network. When bridging back to Ethereum tokens are burned and then released from the escrow on Ethereum.

    Optimistic Validation

    Messages on the source (home) chain are periodically signed by Updater. Updater cannot censor messages and if it refuses to attest them, it can be changed by the governance. Once message batch is attested, it is relayed to the destination (replica) by the permissionless Relayers. After 20 min fraud proof window messages can be delivered to the destination contract. During 20 min fraud proof window, if malicious Updater tries to relay invalid message batch, anyone can submit a fraud proof to the source (home) chain slashing Updater and stopping home contract. On the destination messages cannot be stopped, so receiving contracts have to be independently notified to not process messages.

    • Users can be censored if updater fails to attest messages and governance does not change the Updater.

    • Funds can be stolen if updater manages to relay fraudulent message batch and is not slashed by Watchers during 20 min fraud proof window.

    • Funds can be stolen if destination contract does not block receiving fraudulent messages after malicious Updater has been slashed.

    Destination tokens are upgradeable

    Note: This section requires more research and might not present accurate information.

    Tokens transferred end up as "representation tokens" some of them may be upgradable.

    • Funds can be stolen if destination token contract is maliciously upgraded (CRITICAL).


    The system uses the following set of permissioned addresses:

    Nomad Governor 0x9327…f68A

    Manages Nomad bridge components via GovernanceRouter contract.

    Watchers can unenroll, i.e. stop receiving messages, from a given Replica.

    Smart Contracts

    The system consists of the following smart contracts:

    Nomad Home. This contract is used to send x-chain messages, such as deposit requests. Messages are regularly signed by Attester.

    Nomad Replica. This contract is used to receive x-chain messages, such as withdrawal requests, from Relayers.

    Nomad Bridge Router. Used to send messages to Home and receive messages from Replica. When receiving messages, it routes them to XAppConnectionManager. This contract stores the following tokens: USDC, FRAX, WETH, USDT, WBTC, DAI, FXS.

    XAppConnectionManager 0xFe88…3B2F

    Contract managing list of connections to other chains (domains) and list of watchers.

    UpgradeBeaconController 0xdB37…fD7e

    Contract managing Beacons.

    Nomad Governance Router. Manages all Nomad components.

    The current deployment carries some associated risks:

    • Funds can be stolen if a contract receives a malicious code upgrade. There is no delay on code upgrades (CRITICAL).