Protect and serve? The dilemma of reissuing lost or frozen DeFi tokens

Published at: Oct. 28, 2020

The recent KuCoin exchange hack and ongoing OKEx incident, during which withdrawals have been frozen, have raised questions as to how blockchain projects with coins traded on exchanges should act when said exchanges are hacked or funds are stuck.

When it comes to projects such as Tron, which replaced tokens that were held by OKEx, such actions are to be expected because their work is based on a central governance model. However, are projects able to pause smart contracts or freeze tokens if they are truly decentralized?

Was all this legal?

Choosing a strategy to save users’ funds in a force-majeure situation can be a real dilemma for a project whose tokens are traded on crypto exchanges. Taking any action with funds that belong to other people is quite a responsibility, especially when it happens without these people’s prior consent.

The incidents that happened over the past month with KuCoin and OKEx — two major crypto exchanges — showed that different DeFi projects treat the security of user funds with varying degrees of responsibility. In response to the Sept. 26 hack of KuCoin, some projects froze funds, some implemented a hard fork, and others took a wait-and-see approach. Just a spoiler: All these measures effectively blacklisted the hackers’ stash of stolen tokens and helped users get their funds back, a step unprecedented for the industry. However, some people feel dislike that projects are making decisions without giving the community a choice.

Related: OKEx’s lips remain sealed on its sudden crypto withdrawal freeze

In an attempt to stop the KuCoin hackers from cashing out stolen assets, blockchain projects pushed measures to lock the affected tokens with a share of total supply varying from 10% to 40%. Velo, Orion, Noia and about 30 other projects in total restored access to transactions by implementing a token swap, according to KuCoin data. But in fact, these were not token swaps in the usual sense of the term, as the projects replaced user tokens with new ones.

Orion Protocol was one of the first projects to respond to the announcement of the KuCoin hack. In an attempt to save 38 million tokens affected by the incident, the project team decided to reissue ORN tokens one-to-one via a token swap the same day that the hack was announced. This step, according to the project’s founders, made the previous contract address and tokens obsolete. Alexey Koloskov, CEO of Orion, told Cointelegraph:

“With near immediate effect, the stolen ORN tokens were worthless and had little to no impact on the secondary market. We worked swiftly to update our smart contract address across official exchange listings and self-listing exchanges to ensure normal trading could resume as soon as possible.”

KardiaChain, another DeFi project affected by the KuCoin security breach, with a total amount of $10 million worth of KAI missing, also took the action of making the previous contract address obsolete and underwent a token swap to eliminate any risk of the stolen KAI tokens ever being sold on the secondary market. Astrid Dang, head of marketing and partnerships at KardiaChain, explained that as a result of this tactic, the hackers’ tokens become worthless, while all other KAI addresses were credited with the new KAI token on a new contract address.

Other projects such as Covesting opted for less drastic measures that did not “affect immutability or decentralization of the token itself.” Specifically, Covesting locked addresses selectively, leaving user funds intact.

There were also projects such as Synthetix and Compound that had users who were affected as a result of the KuCoin hack, but they did not fork their contracts or freeze wallets. Does this imply they are more decentralized than others? Maybe, but it’s worth noting that the stolen amount is relatively minor — less than 1% of the circulating supply.

All’s well that ends well

Did the projects have another choice? The question becomes especially acute when considering the matter of the urgency required in situations where there are large amounts of money at stake. The KuCoin hack shook the entire market, and many projects were faced with a choice: act or lose control of a significant part of their funds.

The share of stolen tokens for some projects reached 40% of the total supply, which means that an attacker could cause even more damage by manipulating the price of the coins. Koloskov, whose project Orion had 38% of its circulating ORN supply compromised, told Cointelegraph:

“In order to prevent the hacker profiting from the exploit at the expense of the ORN community, we were left with little choice but to execute a token swap. We took the executive decision to immediately pause trading, deposits, and withdrawals on KuCoin, while deposits were temporarily suspended across other official listing partners.”

Some projects could not avoid falling prices. Ocean Protocol’s OCEAN lost 8%, according to CoinGecko, when the hackers sold the stolen tokens in batches of 10,000 coins. In an attempt to prevent coin prices from falling further, the project initiated a hard fork of the contract to reverse the hack for anyone choosing to adopt the new version of the contract.

Was it an action contradicting blockchain immutability? The answer is, possibly, both yes and no. On the one hand, if a project can roll back a smart contract to its previous state, then it can do it at any time to manipulate user funds. On the other hand, if the Ethereum team had not implemented its famous hard fork after the hack of The DAO in 2016, its users would not have gotten back $16 million.

Related: KuCoin hack unpacked: More crypto possibly stolen than first feared

For many projects, such as KardiaChain, KuCoin was the main market bringing liquidity to their investors and serving their users, and therefore, they could not allow the bulk of the funds to fall into the fraudsters’ hands. KardiaChain’s Dang said that a token swap might not have been the ideal response to a hack, but the KuCoin hack was particularly special and unique in its own way, as someone knew the private key and gained complete control. He added:

“In fact, we hesitated but when we saw the transaction where the hackers tested transferring 10,000 KAI away, we decided to pause the old smart contract. If that amount is all 524 million KAI, we would feel regretful forever.”

The community’s verdict

It may seem that a token swap can happen because projects control ERC-20 tokens on the Ethereum network. But the projects cannot control the network’s validators, so the projects need a voting session to revert the malicious attacks — that is how decentralization and blockchain work.

In response to the KuCoin hack, some projects took measures immediately, claiming they did not have any time to wait, while others asked their users for input. Judging by Twitter posts, the majority of the community supported protective actions, although there was a fair share of criticism. Koloskov explained that Orion’s initiative to implement its token swap was suggested by users:

“When the first project on Kucoin responded by token swap, Orion Protocol, our community quoted the link and suggested we do it the same way. In fact, Kucoin has been smart in coming up with this tactic and we were all in talks to take the action. Some of the projects did witness the loss when responding slowly.”

Domantas Jaskunas, the co-founder of Noia, also claimed that his project received “overwhelming support” for the solution, saying that “The alternative simply wasn’t an option.” Speaking with Cointelegraph, he added:

“Given the size of the hack, everyone including those who hold their NOIA tokens off exchanges would have been severely affected in a negative way.”

Kardiachain’s Dang noted that the KuCoin hack is a one-off, one-of-a-kind situation, and it is very rare that so many affected projects and exchanges agree on a token swap, which is unprecedented: “We can see it’s not always that we have that kind of support in this crypto world.”

The indicative situation

As of this writing, KuCoin has resumed the full service of 130 tokens on the platform. Meanwhile, crypto traders are still waiting for withdrawals to reopen on OKEx. It seems that the crypto community has not been this united since the hack of The DAO. Only the successful cooperation between exchanges and projects made the swift identification of the hacker possible and avoided even greater losses.

The available evidence suggests that it would not have been possible to quickly solve the problem without interfering with the structure of the blockchain. However, in the future, projects and users will likely be able to come to a consensus on resolving issues around the security of funds in the case of force-majeure situations. Initiatives such as the Safeguard program offered by KuCoin for supporting institutions and users affected by security incidents may make this process smoother and more transparent for the whole industry.

Tags
Related Posts
Investing in DeFi? Bet on diversification, not short-term gains
The decentralized finance space has grown exponentially over the last few months, to the point where more than $9 billion worth of crypto assets were locked in its protocols before crypto prices started dropping. The space had a little over $500 million locked in back in September 2019. This exponential growth in the last few months appears to be mainly related to a yield farming trend that started when lending protocol Compound began distributing its COMP governance token to users who interacted with the protocol. Put simply, yield farming — or liquidity mining — allows DeFi users to generate rewards …
Technology / Sept. 13, 2020
Project to provide easy-to-use multichain wallet and Ethereum-to-Polkadot bridge
A smart contract platform aimed at the decentralized finance market seeks to make it easy to transfer decentralized applications from clogged, expensive Ethereum to Polkadot. The open-source project’s goal is to create easy-to-use blockchain infrastructure that will improve the interoperability of cross-chain assets, attracting developers of DeFi projects. Clover Finance wants to build a one-stop infrastructure platform that will make it simpler and less expensive for developers of DeFi projects to migrate their DApps onto Polkadot, a potential Ethereum killer that achieves scalability by running many blockchains in parallel, each with its own design and each serving a specific purpose …
Technology / April 20, 2021
OKEx shared insights on trading, regulation, DeFi and more during recent Markets Pro AMA
Founded in 2017, OKEx is a centralized cryptocurrency exchange based in Seychelles. According to CoinGecko, OKEx is the world's third-largest cryptocurrency brokerage, with nearly $12 billion in trading volume within the past 24 hours. The exchange lists 312 coins and 518 cryptocurrency trading pairs. It's often difficult for new cryptocurrency enthusiasts to navigate the complex world of trading and finance. OKEx seeks to bring such sophisticated trading methods to everyday users' disposal by building simple user interface. During an exclusive ask me anything, or AMA, session with Cointelegraph Markets Pro Users, OKEx staff discussed trading tools, financial regulation, the OKExChain …
Adoption / Nov. 26, 2021
US Treasury targets NFTs for potential high-value art money laundering
The U.S. Department of the Treasury released a study on the high-value art market, highlighting the potential in the nonfungible tokens (NFT) space to conduct illicit money laundering or terror financing operations. The treasury’s “Study of the facilitation of money laundering and terror finance through the trade in works of art” suggested that the increasing use of art as an investment or financial asset could make the high-value art trades vulnerable to money laundering: “The emerging online art market may present new risks, depending on the structure and incentives of certain activity in this sector of the market (i.e., the …
Adoption / Feb. 6, 2022
Survey reveals high penetration and adoption of crypto in Saudi Arabia
The high degree of penetration and adoption of crypto in Saudi Arabia makes it an important market for digital currencies, demonstrating the potential for expansion in the Middle East and North (MENA) region. According to a survey conducted by crypto exchange KuCoin, around 3 million Saudi Arabians (or 14% of the adult population aged 18 to 60) have become crypto investors who, as of May 2022, either currently own cryptocurrencies or have traded in the past six months. Another 17% of respondents are labeled crypto-curious and are likely to invest in cryptocurrencies in the next six months. As per the …
Adoption / July 13, 2022