Cryptocurrency bridge Nomad sent a message to the looters who drained nearly $200 million in tokens from its coffers earlier this week: return at least 90 percent of the ill-gotten gains, keep 10 percent as a bounty for discovering the security flaw, and Nomad will consider this a “white-hat” hack, as opposed to plain old theft, and not take legal action.
The crypto firm proposed this deal via tweet, along with the wallet address on Ethereum to which funds should be return. It also warned: “Nomad is continuing to work with its community, law enforcement and blockchain analysis first to ensure all funds are returned.”
Update: Nomad Bridge Hack Bounty(see below for details)Please send the funds to the official Nomad recovery wallet address on Ethereum: 0x94A84433101A10aEda762968f6995c574D1bF154 https://t.co/8gO1xVl5IC pic.twitter.com/8D7SvbDQlO
— Nomad (⤭⛓🏛) (@nomadxyz_) August 4, 2022
Nomad previously noted it was working with blockchain analysis outfit TRM Labs and custodian bank Anchorage Digital to trace the flow of stolen funds and coordinate the safe return of the tokens.
A subsequent blog post highlights the fact that even though Nomad is willing to let the thieves off easy for the heist, it can’t guarantee that law enforcement will turn a blind eye.
In a FAQ section of the blog, Nomad answers the question: Am I safe from civil liability or criminal prosecution if I retain 10 percent of the funds I took? The crypto firm reiterates that it will not pursue any legal action against what it sees as white hats. And then it added:
In other words, as ethical hackers have found out the hard way in earlier research efforts, the US Justice Department may still press charges. At the time of publication the DoJ didn’t respond to The Register‘s inquiry about the likelihood of this happening.
The company confirmed the heist on Tuesday. After the initial attack, folks with several dozen addresses joined in the looting by copying transactions and inserting their wallets to receive funds.
- How a crypto bridge bug led to a $200m ‘decentralized crowd looting’
- Solana, Phantom blame Slope after millions in crypto-coins stolen from 8,000 wallets
- Capital One: Convicted techie got in via ‘misconfigured’ AWS buckets
- US won’t prosecute ‘good faith’ security researchers under CFAA
While at least $17 million has been recovered, the cyber-ransacking highlighted the security risks around these bridges with recent security snafus totaling more than $1 billion in swiped funds: Ronin Bridge ($600 million); Qubit Bridge ($80 million); Wormhole Bridge ($320 million); Meter.io Bridge ($4.4 million); and Poly Network Bridge ($610 million that was returned).
Nomad’s blog post also explained the reasoning behind waiting a few days to announce the so-called bounty.
“Given the unprecedented number of decentralized parties involved, coordinating amongst everyone was a complex process,” it said. “We wanted to make sure we put the bounty out in the right way, so we took some additional time to make sure we considered the complexities due to the nature of the hack.” ®