Illusory Systems, a Utah software firm, agreed last year to settle a U.S. regulator’s complaint after its crypto bridge, Nomad, was exploited in April 2022, losing roughly $186 million and sparking questions about missing safeguards. The complaint says the company did not include a kill switch and failed to take reasonable security steps, which the settlement would address with a new information security program and return of recovered funds (complaint, settlement).
The April attack saw hundreds of addresses take funds after a bug, which observers described as chaotic and large scale (the exploit was publicly detailed when attackers exploited the bug). TRM Labs called the incident “one of the most remarkable and chaotic hacks in decentralised finance history.” (TRM Labs).
The FTC said Nomad used “inadequately tested code” and flagged the lack of a kill switch as an unfair security practice. (Ed. note: circuit breakers were not industry standard at the time.)
Industry trade groups pushed back, arguing that mandating a kill switch implies centralised control and would hinder decentralised designs, as they wrote in a joint letter to the agency. Consensys also filed comments noting that “Circuit breakers are not industry standard today, and they were not standard at the time of the Nomad incident.” (Consensys letter).
Ethical hackers helped recover about $37 million, but the relaunched bridge has seen minimal deposits, according to the project’s relaunch notes (relaunched bridge).
