We Replayed the Nomad Hack. Our Tool Fired at Block 15259101 Zero Minutes In.

Brett Moore — Mon, 08 Jun 2026 22:56:02 +0000

In August 2022, the Nomad bridge was drained of $190 million over eight hours. The on-chain signal was there from the very first transaction. Nobody caught it in time.

We built Heimdall to change that.

The Problem With Bridge Security

Cross-chain bridges are the most hacked infrastructure in crypto. Ronin: $625M. Wormhole: $320M. Nomad: $190M. The pattern repeats because bridges hold enormous amounts of locked value and monitoring tooling has never kept up.

Existing tools like Forta and OpenZeppelin Defender are general-purpose. They weren't built with bridge-specific heuristics in mind. The result: slow alerts, high false-positive rates, and teams flying blind during the most critical minutes of an exploit.

Heimdall is a focused, open-source bridge monitoring and anomaly detection system built specifically for cross-chain bridges. It watches TVL, mint/burn flows, and transaction patterns in real time and fires alerts when something looks wrong.

Three Rules, Three Signals

Heimdall's detection engine is rule-based by design. No black box, no ML, just precise heuristics that map directly to known exploit patterns.

The three core rules:

large-fill — fires when a single withdrawal exceeds a configurable % of TVL. Catches the opening move of most bridge drains.

rapid-drain — fires when N large fills occur within a rolling time window. Catches the copycat cascade that followed Nomad's initial exploit.

imbalance — fires when fills across all chains exceed deposits by a configurable multiplier. The most robust signal: legitimate bridge activity always has deposits on one side. A drain doesn't.

Replaying the Nomad Hack

To validate the detection logic, We replayed the Nomad exploit against real on-chain data.

Setup:

Block range: 15259000 → 15261500 (~8 hour window)
Pre-seeded TVL matching Nomad's actual holdings: $85M USDC, $40M DAI, ~$26.5M WETH, ~$30M WBTC
1,308 real events indexed from RPC, 1,208 of which were fills

Results:

[CRITICAL][large-fill]   Single fill of 33.3% of TVL on nomad chain 1
                         @ block 15259101 (+0.0 min into hack)

[CRITICAL][rapid-drain]  20 fills in a 50-block window on nomad
                         for token 0x2260fac5… (WBTC)

[HIGH][imbalance]        WBTC fills exceed deposits by 2,570,626.8%
                         across all chains on nomad

First CRITICAL alert: block 15259101, the same block the exploit began.

Not ten minutes later. Not after the second wave of copycats. The first transaction.

The large-fill rule caught a single fill representing 33% of Nomad's total TVL. The imbalance rule flagged a 2.5 million percent excess of fills over deposits, a number that is simply impossible under any legitimate bridge activity.

Had Heimdall been running on August 1, 2022, it would have fired before a single copycat joined the drain.

What the Numbers Mean

The 2,570,626% imbalance figure deserves a moment. That's not a threshold tuning question. That's not a noisy signal requiring human judgment. That is an unambiguous on-chain fact: millions of dollars leaving a bridge with nothing coming in.

The Nomad hack was unique because it was chaotic, nearly 300 addresses piled on over 150 minutes, many just copying the original transaction calldata. That chaos is exactly what the rapid-drain rule was built to catch: not one sophisticated actor, but a flood of sequential large withdrawals in a tight window.

What's Next

Real-time Telegram alerts
Public dashboard with live TVL and alert feed
Retroactive analysis of the Hop Protocol exploit
Historical false-positive audit against 6 weeks of Across data The repo is live at github.com/moorebrett0/heimdall. If you work on a bridge team and want your bridge added, open an issue it's just a config file, not a PR into core logic.

The Broader Point

Bridges are not going away. Cross-chain activity is growing. The tooling to protect it needs to catch up.

Heimdall is one piece of that. Open source, focused, and built on the premise that the signal for most bridge exploits is not subtle, it's just not being watched.

Block 15259101 was eight hours before the last dollar left Nomad. That's eight hours to alert, respond, pause, and potentially save $190 million.

That window exists for the next bridge too. Heimdall is watching for it.

Liten: A Tiny API Gateway for Solo Devs - Looking for Feedback!

Brett Moore — Thu, 04 Sep 2025 19:39:52 +0000

Hey folks, I've been working on Liten. A lightweight, developer-friendly API gateway CLI that you can run anywhere - your laptop, Raspberry Pi, cloud VM, wherever.

I'm hoping to get some feedback from you all to make sure the README makes sense, and you can get data flowing easily.

Much appreciated!

Try it out: npm install -g liten-gateway
Demo video: Running on Raspberry Pi
Repo: https://github.com/moorebrett0/liten

DEV Community: Brett Moore