The latest face-saving communique from Seychelles-domiciled crypto exchange KuCoin – hacked almost two months ago for over $280 million – is that 84% of the affected assets have been recovered. Some victims will be glad the situation seems to be moving towards resolution. Others, not so much.
Leaving aside the conspiracy theories, death threats and alleged lack of communication on the part of the exchange, the KuCoin debacle raises troubling issues around blockchain decentralization and how token projects often rely on fallible intermediaries.
Following the hack, many projects whose tokens were stolen from the exchange were urged to react quickly and change their smart contracts – effectively replacing stolen tokens with new versions, known as a token swap. (A list of projects that speedily updated their tokens following the Sept. 26 hack can be found here.)
The majority of ERC-20 projects affected by the KuCoin hack (around 60%) have bowed to pressure and upgraded their tokens. While it goes against the principles of those projects to essentially cover KuCoin’s back by updating their smart contracts or replacing their tokens, they chose the easiest solution available to them. But in some cases, it’s not a straightforward process and would lead to a very messy fix.
“We consciously built our smart contract in a way that’s truly decentralized and we, as a team, can’t just halt transactions, blacklist, whitelist people and so on,” said Paul Claudius, co-founder of DIA, a crowd-driven Wikipedia for financial data and information. “As a team, we obviously trust ourselves, but we don’t think the world should have to trust us. And that’s the reason we build our smart contracts that way.”
KuCoin calls all remediating efforts “token swaps,” said Claudius, but the exchange is confusing two different things.
In some cases, it’s possible to upgrade the contract, reissue the token and create a blockchain state similar to that prior to the hack. That’s very different from a situation where reissuing the token would create two tokens.
“Then it’s like a fork,” said Claudius. “Which is the real token at the end? People would be trading the old token, not knowing this. It’s just not an option.”
In the case of DIA, some 3 million tokens were taken by the hacker, at a value of around $4 million; while this amount was not “life-threatening,” the team members had to watch powerless as the hacker sold their tokens.
“I can see why projects who had, say, 50% of their tokens affected by the hack, would choose the option to basically just pull the plug,” Claudius said. “Their backs were against the wall.”
The DMM Foundation, the organization behind Decentralized Money Market, said KuCoin’s strategy has been to switch the onus onto the decentralized governance communities behind these projects, pressuring them to swap tokens, effectively crediting KuCoin’s balance.
“This leaves the community in an uproar, asking why we are not upgrading our token, when in fact it shouldn’t be our responsibility; it’s actually KuCoin’s problem,” a member of DMM, who wanted to remain nameless, told CoinDesk, adding:
“We are a DeFi protocol. We can’t do that so easily without completely disrupting our user base and potentially exposing areas of weakness for our community.”
It’s one of the paradoxes at the heart of crypto, that decentralized projects list on centralized exchanges and must rely on centralized custody as a potential point of failure.
Of course, that’s why decentralized exchanges (DEXs) are becoming increasingly popular as technological advances bring speed (and, in turn, attract liquidity for prominent tokens). For some smaller projects, though, listing on KuCoin is a big deal. Perhaps it is their only trading venue with significant liquidity. So what are they going to do?
There are a number of projects that are holding out from doing a token swap, and KuCoin’s strategy seems to be to wait until they all eventually fold. During this waiting game, the exchange has employed some egregious tactics, said Jag Singh, CEO of Vid, a project that delisted from KuCoin before the hack took place.
“We delisted from KuCoin because we noticed a lot of suspicious stuff going on with our token price – pumps and dumps – that we concluded could only be [caused by] the exchange itself,” said Singh. “This [delisting] meant they had less leverage over us.”
Like many others affected by the hack, Singh claims KuCoin is selling phantom tokens. If the entire balance of a token was stolen by the hacker and that project has not done a token swap, KuCoin is “trading on thin air,” Singh said. He claims this is a deliberate tactic to induce token swaps and reduce the amount the exchange has to reimburse.
CoinDesk asked KuCoin for comment, to which the exchange asked for questions to be emailed. There has been no response to the questions but a KuCoin representative did share some comments from KuCoin CEO Johnny Lyu comparing the hack to events like the Ethereum DAO compromise of 2016.
“Actually, in the history of crypto, token swap or hard fork situations emerged several times among Bitcoin and Ethereum communities at critical timings,” Lyu said in a live-streamed update on Sept. 30. “With that, communities survived from serious crises, and everyone felt thankful to those teams that made contributions.”
The irony and hypocrisy of such comparisons is stunning, said Richard Sanders, founder of blockchain analytics company CipherBlade.
“The important thing is that we’re dealing with decentralized tech,” said Sanders. “So setting a precedent every single time an exchange is hacked or somebody is negligent for some centralized action goes against the very foundation of what this technology is supposed to be about. Everything KuCoin is doing really boils down to them trying to save face.”