How One Team Rescued $1 Million by Hacking Nomad Bridge

After Nomad Bridge was exploited for $200 million, RugDoc’s team of white hat hackers attempted to use the same exploit to rescue user funds. Here’s what happened.

In early August, the cross-chain token bridge Nomad was drained of nearly $200 million in an exploit. The cause of the exploit was clear, but not as many users know how the exploit was used for white hat purposes. Here’s what happened to Nomad Bridge and how RugDoc’s team successfully saved users’ funds.

What Happened to Nomad?

Nomad is a token bridge service. Essentially, they take users’ tokens and lock them in a smart contract. New tokens are then “wrapped” and issued out in return on another chain.

With Nomad’s exploit, the wrapped tokens were rendered worthless as exploiters were able to spoof transactions. You can read more about the exploit in the Twitter thread below:

What is a White Hat Hack?

A white hat hack is an ethical method of finding vulnerabilities in smart contracts. Hackers identify and may execute on the vulnerabilities, and may report these vulnerabilities or return the funds that were exploited.

In Nomad’s case, a bounty was called forth for hackers to return at least 90% of the exploited funds—and, if they did, the hack would be considered as a white hat hack, and legal action would not be pursued.

What did RugDoc Do?

RugDoc was able to get involved in the same white hat hack exploit Nomad bridge was affected by to rescue some tokens and return them to the affected teams. Among the funds returned was over 170 million IAGON tokens, which, at the time of writing, totals nearly $1 million.


If you’d like to look at the Nomad bridge wallet yourself, you can find it here.

The White Hacking Continues…

If you’re interested in white hacking yourself, we highly recommend going over HackenProof’s list of ongoing bug bounty programs. Familiarize yourself with the ins-and-outs of bug bounties, and even teach yourself some coding by watching this video:


🟢 For owners who have made impactful changes and would like an update to their farm review:

1️⃣ Use #update at @RugDocChat with your description and proof of changes and it will be forwarded to our scanners.

2️⃣ This does not guarantee a change in your review.

3️⃣ Owners who have difficulty solving the issues can consider our Consultation Package – please contact @BaymaxCrypto on Telegram to discuss.

Our mission here at RugDoc is to screen for hard rug code that results in 100% theft of ALL underlying funds for ALL participants.

This is the ONE part of the due diligence process that most people cannot simply do on their own as it costs thousands of dollars to hire a senior solidity developer to look over a farm for safety.

A project coin with terrible code can go up in price, and a project with good code and a good team can also go down in price.

Do NOT use our ratings to refer to your likelihood in making money if you invest in the project. They are ONLY in reference to code safety.

Everything else beyond code safety is YOUR responsibility to go do research on. We just make sure the casino you’re betting in won’t rob you before you even get to place a bet.

Our reviews for projects are organized into a few colors.

🟢 Least Risk
These projects are the least likely to hard or soft rug. Usually reserved for cornerstone projects of an ecosystem where it makes no financial sense for them to rug in any manner as they make more money just being legit.

🔵 Low Risk
These projects are usually established projects in an ecosystem that have a track record of success or have KYC’d to us or other authoritative sources in the real world. As a result, it is extremely unlikely for them to soft rug or hard rug their projects. The projects can still fail and the token price can go down, but usually more as a result of natural market forces.

⚪️ Some Risk
This is the default rating for projects with unknown teams but have code that is unlikely to have hard rug risk. Since the team is unknown and doesn’t have a track record of success, it’s entirely possible that they may try to soft rug by dumping tokens, abandoning the project, etc. Even a last minute contract swap to a malicious contract is possible. The only thing that is unlikely is a complete hard rug as long as you are 100% sure you deposit into the contract we review.

🟠 Medium Risk
Similar to Some Risk, but the underlying code itself is custom enough or complex enough that it warrants an elevated risk rating that needs deeper research. Make sure you read every point presented to make sure you’re comfortable with that before entering. Still unlikely to hard rug, but more chances of custom code behaving incorrectly and causing other issues.

🔴 High Risk
Project contains code or practices that are HIGHLY LIKELY to lead to catastrophic losses as they are right now. Make sure you read the description carefully as we will always warn what these issues are. If you see the words Hard Rug anywhere in the review, STAY FAR AWAY!

⚫️ Not Eligible
We reserve the right to not review exceedingly complex projects that would require tens of thousands of dollars of senior security analyst man hours. Typically these are projects that deal with leverage, lending, options, derivatives, and anything that is overly complex and which requires tons of peer reviews and audits from top audit companies.