Nomad traced the bridge compromise to an implementation bug in the Replica contract that let forged messages pass authentication. Unproven messages could resolve to bytes32(0), and the initializer had set confirmAt[bytes32(0)] to 1, so acceptableRoot(bytes32(0)) returned true for ordinary block timestamps. That logic allowed process() calls to run without a prior Merkle proof and passed fraudulent messages to the BridgeRouter. The vulnerable code was introduced in a June 21, 2022 upgrade after a change meant to prevent invalid attestations from blocking valid message delivery.