Overview
- The proposed agreement would bar security misrepresentations, require a formal information‑security program, and mandate independent biennial assessments.
- Illusory Systems must return recovered user funds, with about $37.5 million to be repaid within a year of final approval or 30 days after related litigation concludes.
- The FTC says a June 2022 code change created the flaw exploited on August 1, 2022, draining roughly $186 million in ETH, USDC, DAI, and WBTC.
- Investigators cite missing basics such as unit tests, fraud monitoring, clear vulnerability reporting, and kill‑switch controls, with staff even relaying code from an engineer on a flight during the attack.
- The agreement is posted for public comment before a final Commission vote, and Israeli authorities earlier this year arrested Alexander Gurevich, accused of initiating the exploit.