Protect and serve? The dilemma of reissuing lost or frozen DeFi tokens


The recent KuCoin exchange hack and the ongoing OKEx incident that froze withdrawals have raised questions about how blockchain projects with coins traded on exchanges should work if those exchanges are hacked or funds get stuck.

With projects like Tron, which replaced the tokens held by OKEx, such measures can be expected, as their work is based on a central governance model. However, can projects pause smart contracts or freeze tokens if they are really decentralized?

Related articles

Was it all legal?

Choosing a strategy to save user funds in a force majeure situation can be a real dilemma for a project whose tokens are traded on crypto exchanges. It is quite a responsibility to take action with money belonging to other people, especially if done without that person’s prior consent.

Last month’s incidents with KuCoin and OKEx – two major crypto exchanges – showed that different DeFi projects deal with the security of user funds with varying degrees of responsibility. In response to the KuCoin hack on September 26th, some projects have frozen funds, some have implemented a hard fork, and others have taken a wait and see approach. Just one spoiler: all of these measures effectively blacklisted the hacker’s stash of stolen tokens and helped users get their money back, a move unprecedented for the industry. However, some people feel that projects don’t make decisions without giving the community a choice.

Related Topics: OKEx’s Lips Remain Sealed When Crypto Withdrawal Freezes Suddenly

In order to prevent the KuCoin hackers from paying out stolen assets, blockchain projects have taken measures to block the affected tokens with a share of the total supply between 10% and 40%. According to KuCoin data, Velo, Orion, Noia and about 30 other projects have restored access to transactions by implementing a token swap. In fact, however, these were not token swaps in the usual sense of the word, as the projects replaced user tokens with new ones.

The Orion Protocol was one of the first projects to respond to the announcement of the KuCoin hack. In order to save 38 million tokens affected by the incident, the project team decided to reissue ORN tokens individually via a token exchange on the same day the hack was announced. According to the project creators, this step has made the previous contract address and tokens obsolete. Orion CEO Alexey Koloskov told Cointelegraph:

“The stolen ORN tokens were worthless almost immediately and had little or no impact on the secondary market. We worked quickly to update our smart contract address across official stock and self-listing exchanges to ensure normal trading could resume as soon as possible. “

KardiaChain, another DeFi project hit by the KuCoin breach and missing KAI for a total of $ 10 million, has also made the previous contract address obsolete and performed a token swap to reduce the risk of the stolen KAI tokens eliminate being sold on the secondary market. Astrid Dang, Marketing and Partnership Manager at KardiaChain, explained that this tactic made the hackers’ tokens worthless, while all other KAI addresses were credited with the new KAI token on a new contract address.

Other projects such as Covesting opted for less drastic measures that “did not affect the immutability or decentralization of the token itself”. In particular, blocked addresses are selectively recorded, with user funds remaining intact.

There have also been projects like Synthetix and Compound where users have been affected as a result of the KuCoin hack but their contracts have not been forked or wallets have been frozen. Does this mean they are more decentralized than others? Maybe, but it’s worth noting that the amount stolen is relatively small – less than 1% of the amount in circulation.

All’s well that ends well

Did the projects have any other choice? The question becomes particularly acute when one considers the issue of urgency required in situations where large amounts of money are at stake. The KuCoin hack rocked the entire market, and many projects were faced with a choice: trade a substantial portion of their funds or lose control.

The percentage of stolen tokens for some projects reached 40% of the total supply, which means that an attacker can do even more damage by manipulating the price of coins. Koloskov, whose project had affected Orion 38% of its circulating ORN supply, told Cointelegraph:

“To prevent the hacker from profiting from the exploit at the expense of the ORN community, we had no choice but to carry out a token swap. We have made the decision of the management to stop trading, deposits and withdrawals at KuCoin immediately, while deposits at other official listing partners have been temporarily suspended. “

Some projects could not avoid falling prices. According to CoinGecko, Ocean Protocol’s OCEAN lost 8% when the hackers sold the stolen tokens in stacks of 10,000 coins. To keep coin prices from falling further, the project initiated a hard fork in the contract to reverse the hack for anyone who chooses to accept the new version of the contract.

Was it an act that contradicted the immutability of the blockchain? The answer may be both yes and no. If a project can revert a smart contract to its previous status, it can do so at any time to manipulate user funds. However, if the Ethereum team hadn’t implemented its famous hard fork after The DAO’s hack in 2016, its users wouldn’t have gotten $ 16 million back.

Related: KuCoin Hack Unpacked: Possibly More Crypto Stolen Than First Feared

On many projects like KardiaChain, KuCoin was the main market, bringing liquidity to their investors and serving their users. Hence, they could not allow the bulk of the funds to fall into the hands of the scammers. KardiaChain’s Dang said a token swap might not have been the ideal answer to a hack, but the KuCoin hack was extra special and unique in its own way, in that someone knew the private key and had complete control. He added:

“In fact, we hesitated, but when we saw the transaction where the hackers tested the transfer of 10,000 KAI, we decided to pause the old smart contract. If this amount is all 524 million KAI, we would be forever sorry. “

The judgment of the community

It seems that a token exchange can take place because projects control ERC-20 tokens on the Ethereum network. However, the projects cannot control the network’s validators. As a result, the projects need a reconciliation meeting to reverse the malicious attacks. This is how decentralization and blockchain work.

In response to the KuCoin hack, some projects took immediate action, claiming they didn’t have time to wait, while others asked their users for input. Judging by Twitter posts, the majority of the community supported protective measures, although there was a fair share of criticism. Koloskov stated that Orion’s initiative to implement the token swap was suggested by users:

“When the first project on Kucoin responded with a token exchange, the Orion Protocol, our community quoted the link and suggested we do the same. In fact, Kucoin was smart at developing this tactic and we were all in talks to take the action. Some of the projects witnessed loss if they were slow to respond. “

Domantas Jaskunas, the co-founder of Noia, also claimed that his project received “overwhelming support” for the solution, saying that “the alternative is simply not an option.” Speaking to Cointelegraph, he added:

“Given the size of the hack, everyone, including those who keep their NOIA tokens off the exchange, would be negatively affected.”

Kardiachains Dang noted that the KuCoin hack is a one-off, unique situation and it is very rare for so many affected projects and exchanges to agree on a token swap that is unprecedented: “We can see that this is not the case is always that we have this kind of support in this crypto world. “

The indicative situation

At this point in time, KuCoin has resumed the full service of 130 tokens on the platform. In the meantime, crypto traders are still waiting for the payouts to reopen at OKEx. It seems the crypto community hasn’t been that united since The DAO hacked. Only the successful cooperation between exchanges and projects enabled the hacker to be identified quickly and prevented even greater losses.