Nomad Crypto Bridge Class Action Says Simple Programmer Mistake Allowed $186M Hack in 2022

New to ClassAction.org? Read our Newswire Disclaimer

A Montreal resident who allegedly lost more than $170,000 when the Nomad Enterprise crypto asset “bridge” was hacked last summer has sued the bridge’s operator and the entities in possession of the cryptographic keys needed to access the highly valuable asset-moving pathway. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

The 30-page proposed class action says that although Nomad Bridge operator Illusory Systems claimed to have employed state-of-the-art cryptography to protect users’ crypto assets on the “bridge” between blockchains, this promise was in fact “illusory,” as the company “never implemented many of its supposedly innovative security features.” 

Instead, the complaint says, a Nomad programmer’s “simple mistake” in the bridge code during a routine update allowed more than $186 million in user assets to be stolen on August 2, 2022, while the company “ignored obvious signs that a hack was occurring” and failed to shut the bridge down. 

According to the filing, Illusory Systems and fellow Nomad Bridge cryptographic key holders Archetype Crypto II, Consensys Software and Connext Labs are an “association-in-fact enterprise” whose alleged wrongdoing amounts to wire fraud under the federal Racketeering Influenced and Corrupt Organizations Act (RICO). The suit further alleges Archetype Crypto II and defendants Coinbase, Ozone Networks, Polychain Alchemy and Circle Internet Financial conspired with the cryptographic key holders to “bring the [Nomad Bridge] into existence,” agreeing to provide “funding, guidance and advice” to Illusory Systems in exchange for an ownership stake in the operation. 

As the lawsuit tells it, Illusory Systems was created “to solely participate in the operation of an illegal money-transmitting business.” 

Cross-chain bridge services such as the Nomad Bridge solve the problem of blockchain interoperability, the suit explains. Through a bridge, a user can send assets from one blockchain to another by way of two steps, the first of which uses a “smart contract” on the chain of origin to record an outgoing transaction and essentially freeze or escrow the assets. The second step, the case says, involves the bridge using another smart contract on the destination blockchain to record an incoming transaction, creating a new asset on the second chain that entitles the user to an “equivalent amount of the old asset.” 

Unlike blockchains themselves, the complaint relays, bridges are generally not distributed across a wide network of machines that securely and publicly record transactions. Instead, a bridge will “take possession of users’ funds on one chain to transmit them to another,” which the lawsuit says gives rise to a “cryptographic problem” of digital real estate on these highly valuable crypto pathways.

“For this reason, many bridges have recently been hacked, resulting in billions of dollars worth [sic] of losses,” the suit states. 

According to the lawsuit, the companies behind the Nomad Bridge have induced people to use it through “knowingly false promises of security.” At no point during the process of using the Nomad Bridge are users required to provide their names, residences or identification, and at no point do users “have to identify themselves at all,” the suit says.

Further, the system of checks and balances purportedly in place at Nomad, i.e., “the only thing separating it from simply trusting five companies with customers’ money,” the case says, “does absolutely nothing,” according to the lawsuit. 

Per the complaint, the vulnerability that prompted the Nomad Bridge hack last summer “allowed anyone who saw it to craft transactions to steal funds” from the bridge, which occurred around August 1 when someone “executed a few small fraudulent transactions” on certain contracts. Had the Nomad defendants exercised due care to monitor the bridge, they could have shut down the problem and stopped future theft, the case stresses.

What happened instead, according to the suit, was a massive theft of assets perpetrated at first by one actor and then by copycats who eventually wiped out the funds in the Nomad Bridge’s possession.

“Instead, the Nomad Bridge stayed open, and on August 2, 2022, a malicious actor began executing fraudulent transactions using Nomad’s Replica contracts. Through the vulnerability introduced by the Nomad Defendants, and because there was no oversight to shut it down when the thefts were occurring, the malicious actor was able to manipulate the Nomad Bridge contracts on Ethereum to issue all the money to the malicious actor through a process called ‘spoofing.’ 

Once others saw the spoofing—because all blockchain transactions are public— they joined in as well. By the end of the day on August 2, the original malicious actor and many copycats had completely drained the assets in the Nomad Enterprise’s possession, resulting in a loss of more than $186 million worth of crypto assets.” 

The lawsuit adds that “it is plausible” that the hacker worked “on behalf of” the Nomad defendants as the group had no protocols in place to double check software updates, leaving open the possibility that one person could control the blockchain address that executes updates. 

According to the suit, Illusory Systems immediately after the hack began communicating with the wallet addresses that held the stolen funds, promising to forego legal action and allow them to keep 10 percent of what they had stolen if they returned the other 90 percent. Through this process, the filing says, the Nomad companies were able to recover roughly $36 million worth of stolen assets. However, the enterprise, now that it needs to return the money to users, has begun to “refer[] to U.S. anti-money-laundering rules” for customer verification, the suit says. 

“Although it was happy to accept funds for transfer without any know-your-customer [KYC] process when it was running the bridge, it is now demanding that all customers who seek to recover their funds satisfy a self-described ‘KYC’ process,” the case reads. 

The lawsuit looks to cover all people whose crypto assets were lost or stolen on or around August 2, 2022 from the Nomad Bridge. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.