Nomad hack: Crypto advocacy groups slam FTC ‘kill switch’ proposal

Crypto trade associations in the US have slammed a complaint filed by the Federal Trade Commission that suggested a Utah-based company broke the law when it built software without a so-called kill switch.

That software, a crypto bridge called Nomad, was hacked for nearly $200 million in 2022. While its developers were able to recover millions in stolen crypto, Nomad has failed to gain any traction since it was relaunched in December that year.

Though the project is seemingly defunct, parent company Illusory Systems agreed last year to settle a complaint filed by the FTC.

The agency alleged Illusory Systems had failed to take reasonable steps to secure its software. But its definition of “reasonable and appropriate” has alarmed the crypto industry.

“The company failed to incorporate ‘circuit breakers’ or a ‘kill switch’ that could immediately cease the functioning of the Nomad Token Bridge in the presence of suspicious transactions,” the FTC wrote in the complaint, which it published alongside the proposed settlement in December.

But that technology is far from industry standard and, in some cases, could even make software more vulnerable to hackers, four crypto trade associations wrote in a letter to the agency this week.

Moreover, the presence of a kill switch implies unilateral control — an unacceptable requirement for developers attempting to build decentralised protocols, according to the letter.

The tiff is the latest example of the myriad ways in which regulators charged with protecting consumers can impose requirements limiting developers’ ability to build such software.

The Nomad hack

Crypto bridges allow users to move their crypto between otherwise incompatible blockchains. But they have proven a lucrative target for hackers.

In April 2022, Nomad said it had raised $22 million at a $225 million valuation to build “security-first interoperability.”

Despite Nomad’s assurances, just four months later some 300 hackers exploited a bug in the bridge and made off with $186 million in crypto, something the FTC attributed to “inadequately tested code.”

Last year, crypto forensics firm TRM Labs called it “one of the most remarkable and chaotic hacks in decentralised finance history.”

The company was able to recover roughly $37 million thanks to ethical hackers who joined the plunder in order to prevent thieves from running off with every last dollar. But a relaunched bridge failed to gain any traction — as of Friday, it held just $1 million in user deposits, according to DefiLlama data.

Nomad’s final post on X was more than two years ago.

The FTC has alleged that Nomad employed “unfair security practices” — such as the lack of a kill switch — that harmed its users. As such, it misled those users when it touted its “security first” approach.

The company has agreed to settle the complaint. If the complaint and settlement are finalised, Nomad will have to implement a new information security programme and return any remaining crypto it recovered after the hack, among other things.

Impossible mandate?

But industry groups say the complaint needs to be revised, as it implies a company operates unlawfully by releasing software without certain security features, including the kill switch.

That’s a problematic requirement, as it would “require privileged control or some other centralised authority to execute,” the letter reads.

“Many of these technologies — including technologies that utilise decentralised governance and control of operations — would be stifled if not outright deemed impossible under the expectations in the Proposed Complaint.”

Even MetaMask developer Consensys weighed in.

“Circuit breakers are not industry standard today, and they were not standard at the time of the Nomad incident,” Bill Hughes, senior counsel at Consensys, wrote in a letter to the agency.

Last year, police in Israel arrested dual Russian-Israeli citizen Alexander Gurevich when he attempted to travel to Russia using documents bearing a different name, according to a report from the Jerusalem Post. Gurevich was extradited to the US on suspicion of participating in the Nomad hack.

DL News could not immediately determine Thursday whether Gurevich had ultimately been charged in connection with the hack.

Aleks Gilbert is DL News’ New York-based DeFi correspondent. You can reach him at aleks@dlnews.com.