FTC orders crypto platform Nomad to distribute $37.5 million after 2022 theft

Blockchain company Illusory Systems will have to distribute to customers about $37.5 million that it recovered following a large hack of its crypto platform Nomad in 2022. 

The Utah-based company will also have to make a range of changes to its security program in addition to compensating users impacted by the 2022 theft — which totaled  about $186 million in cryptocurrency.

The Federal Trade Commission published a proposed order settling a complaint alleging that Nomad misled customers by advertising itself as a secure crypto platform. 

An investigation by the FTC found that the company did not use secure coding practices, did not implement processes for receiving and addressing vulnerability reports, and did not use widely deployed tools that might have limited consumer losses. 

The complaint explained in detail that Nomad introduced “inadequately tested code” in June 2022 that had a “significant vulnerability” allowing anyone to breach the company’s systems just one month later. The vulnerability affected the platform’s smart contract — a protocol that can automatically execute actions according to a platform’s internal rules.

Nomad — a company that facilitates cryptocurrency trades between different blockchains like Avalanche (AVAX), Ethereum (ETH), Evmos (EVMOS) and more — performed an update on their platform that introduced the vulnerability.

It allowed anyone to withdraw more funds than they were depositing. Several cryptocurrency security firms and experts traced about 80% of the stolen funds to 41 accounts. But others noted that there was a free-for-all once news of the exploit spread. 

“Nomad knew of the dangers of rushing code into production,” investigators wrote in the order released this week. “For example, one possible business partner warned Nomad about the need to be deliberate about upgrades ‘since upgrades themselves are risky and could lead to unrecoverable funds.’ Nomad ignored this warning, pushing into production the code that was later exploited.”

The complaint includes claims that an engineer raised concerns about security issues with Nomad’s CEO but was ignored by top level executives. In 2022, several Reddit users noted that Nomad was also warned about the issue in an audit done by security company Quantstamp on June 9, 2022.

Quantstamp outlined precisely the scenario that took place and wrote in the audit that the Nomad team “has misunderstood the issue.”

Multiple “white hat” hackers exploited the vulnerability alongside others in an effort to secure some of the funds before the entire platform was drained. Consumers lost about $100 million but many of the white hats returned funds to Nomad, totaling about $37.5 million. 

The proposed order would force Nomad to implement a security program to address the company’s security issues and to return recovered funds to the affected customers. 

“The FTC Act requires companies to take reasonable security measures,” said Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection. “It’s important that companies live up to their security promises to consumers.”

In addition to the security changes and the returned funds, Nomad will be forced to submit biennial assessments of its information security program to an independent third party. The FTC voted 2-0 to approve the complaint and release it for public comment. 

It will be public for 30 days before the FTC decides whether to make the consent order final. 

Nomad and Illusory Systems did not respond to requests for comment.