- The Nomad hacks, worth $200 million, cause shockwaves.
- An FTC complaint says Illusory Systems should have had a kill switch.
- Crypto lobby groups have reacted to the complaint.
Crypto trade associations in the United States have criticized a complaint filed by the Federal Trade Commission that suggested a Utah-based company broke the law by creating software without what’s called a kill switch.
That software, a crypto bridge called Nomad, was hacked for nearly $200 million in 2022. While its developers were able to recover millions in stolen cryptocurrencies, Nomad has failed to gain traction since its relaunch in December of that year.
Although the project appears to have disappeared, parent company Illusory Systems agreed last year to settle a complaint filed by the FTC.
The agency alleged that Illusory Systems failed to take reasonable steps to secure its software. But its definition of “reasonable and appropriate” has alarmed the crypto industry.
“The Company failed to integrate ‘circuit breakers’ or a ‘kill switch’ that could immediately shut down the operation of the Nomad Token Bridge in the presence of suspicious transactions,” the FTC wrote in the complaint, which it released alongside the proposed settlement in December.
But this technology is far from the industry standard and, in some cases, could even make software more vulnerable to hackers, four crypto trade associations wrote in a letter to the agency this week.
Additionally, the presence of a kill switch implies unilateral control – an unacceptable requirement for developers attempting to create decentralized protocols, according to the letter.
The tiff is the latest example of the myriad ways regulators charged with protecting consumers can impose requirements limiting developers’ ability to create such software.
The Nomad hack
Crypto bridges allow users to move their crypto between otherwise incompatible blockchains. But they have proven to be a lucrative target for hackers.
In April 2022, Nomad said it had raised $22 million at a valuation of $225 million to build “security-first interoperability.”
Despite Nomad’s assurances, four months later, some 300 hackers exploited a bug in the bridge and pocketed $186 million in crypto, which the FTC attributed to “insufficiently tested code.”
Last year, crypto investigation firm TRM Labs called it “one of the most remarkable and chaotic hacks in the history of decentralized finance.”
The company was able to recover approximately $37 million thanks to ethical hackers who joined in the looting to prevent thieves from running off with the last dollar. But a relaunched bridge failed to gain traction: As of Friday, it held just $1 million in user deposits, according to data from DefiLlama.
Nomad’s last post on X was over two years ago.
The FTC alleged that Nomad employed “unfair security practices” – such as the lack of a kill switch – that harmed its users. As such, it misled these users by touting its “security first” approach.
The company agreed to settle the complaint. If the complaint and settlement are finalized, Nomad will be required to, among other things, implement a new information security program and return any remaining crypto recovered after the hack.
Mandate impossible?
But industry groups say the complaint needs to be revised because it implies a company is operating illegally by releasing software that lacks certain security features, including the kill switch.
This is a problematic requirement because it “would require privileged control or other centralized authority to execute,” the letter states.
“Many of these technologies – including technologies that use decentralized governance and control of operations – would be stifled if they were not outright deemed impossible under the expectations of the proposed complaint.”
Even Consensys, developer of MetaMask, has spoken out.
“Circuit breakers are not the industry standard today, and they were not at the time of the Nomad incident,” Bill Hughes, senior counsel at Consensys, wrote in a letter to the agency.
Last year, Israeli police arrested Alexander Gurevich, a dual Russian-Israeli citizen, when he tried to travel to Russia using documents with a different name, according to a report from the Jerusalem Post. Gurevich was extradited to the United States on suspicion of involvement in the Nomad hack.
DL News I could not immediately determine whether Gurevich was ultimately charged in connection with the hack.
Aleks Gilbert is DL News’ DeFi correspondent based in New York. You can reach him at aleks@dlnews.com.
