The latest face-saving communique from the Seychelles-based crypto exchange KuCoin, which was hacked for over $ 280 million nearly two months ago, says 84% of the affected assets have been restored. Some victims will be glad that the situation seems to be moving towards a solution. Others not so much.
Aside from the conspiracy theories, death threats and the alleged lack of communication on the part of exchanges, the KuCoin debacle raises worrying questions about blockchain decentralization and how token projects often rely on fallible intermediaries.
After the hack, many projects whose tokens were stolen from the exchange were asked to act quickly and change their smart contracts. So, stolen tokens have been effectively replaced with new versions known as token swaps. (A list of projects that quickly updated their tokens after the September 26 hack can be found here.)
The majority of the ERC-20 projects affected by the KuCoin hack (around 60%) bowed to the pressure and improved their tokens. Although it is against the principles of these projects to essentially cover KuCoin's backs by updating their smart contracts or replacing their tokens, they have chosen the simplest solution available to them. However, in some cases this is not an easy process and results in a very confusing solution.
Continue reading: KuCoin CEO Says Suspect Identified in Hack $ 281M; Authorities on the case
"We deliberately built our smart contract in a way that is really decentralized, and we as a team can't just stop transactions, blacklists, whitelist people, etc.," said Paul Claudius, co-founder of DIA, a crowd- Driven Wikipedia for financial data and information. "As a team, of course, we trust ourselves, but we don't believe the world has to trust us. And that's why we build our smart contracts that way."
KuCoin calls all cleanup efforts "token swaps," Claudius said, but the exchange confuses two different things.
In some cases it is possible to update the contract, reissue the token and create a blockchain status similar to what it was before the hack. This is very different from a situation where reissuing the token would create two tokens.
"Then it's like a fork," said Claudius. “What is the real sign in the end? People would trade the old token without knowing it. It's just not an option. "
In the case of DIA, the hacker took around 3 million tokens worth around 4 million US dollars. While this amount was not "life threatening", the team members had to watch powerlessly as the hacker sold their tokens.
"I can see why projects where, for example, 50% of their tokens were affected by the hack would choose the option of basically just pulling the plug," said Claudius. "Your back was against the wall."
Continue reading: Decentralized Governance in the Wild – Lessons from the KuCoin Hack
The DMM Foundation, the organization behind the decentralized money market, said KuCoin’s strategy is to shift responsibility to the decentralized governance communities behind these projects and pressure them to exchange tokens to effectively balance KuCoin appreciate.
"This is causing an uproar in the community and asking why we are not updating our token when it shouldn't be our responsibility. It's actually KuCoin 's problem," a member of DMM who wanted to remain nameless told CoinDesk and added:
“We are a DeFi protocol. We can't do this that easily without completely disrupting our user base and uncovering potential vulnerabilities for our community. "
It is one of the paradoxes at the heart of Crypto that decentralized projects are listed on central exchanges and have to rely on centralized custody as a potential point of failure.
This, of course, is why decentralized exchanges (DEXs) are becoming increasingly popular as technological advances bring speed (and in turn, liquidity for prominent tokens). However, for some smaller projects, listing on KuCoin is a big deal. Perhaps it is their only trading venue with significant liquidity. So what are they going to do?
Continue reading: Ocean Protocol Forks for retrieving tokens stolen from KuCoin Exchange
There are a number of projects holding back token swaps, and KuCoin's strategy seems to be to wait until they all eventually work out. During that waiting game, the exchange used some formidable tactics, said Jag Singh, CEO of Vid, a project delisted from KuCoin prior to the hack.
"We delisted from KuCoin because we noticed a lot of suspicious things with our token price – pumps and dumps – that we found could only be caused by the exchange itself," said Singh. "This (delisting) meant they had less of an impact on us."
Like many others affected by the hack, Singh claims that KuCoin is selling phantom tokens. If the hacker has stolen all of a token's balance and this project has not carried out a token swap, KuCoin trades “in the air,” said Singh. He claims this is a deliberate tactic to initiate token swaps and reduce the amount that the exchange has to refund.
CoinDesk asked KuCoin for a comment, to which the exchange emailed questions. There was no answer to the questions, but a KuCoin representative shared some comments from KuCoin CEO Johnny Lyu comparing the hack to events like the 2016 Ethereum DAO compromise.
"In the history of the crypto situation, token swap or hard fork situations between Bitcoin and Ethereum communities have occurred several times at critical times," Lyu said in a live streaming update on September 30th, and all of them were Grateful teams that contributed. "
The irony and hypocrisy of such comparisons is staggering, said Richard Sanders, founder of blockchain analytics firm CipherBlade.
"The important thing is that it is decentralized technology," said Sanders. “So if you set a precedent every time an exchange is hacked or someone neglects to take centralized action, it goes against the very foundation of what this technology is supposed to be about. Everything KuCoin does boils down to trying to save their face. "