Token Projects Are Not Happy With KuCoin's Handling of $280M Hack

Some token projects say they're left holding the bag following a hack that drained the KuCoin crypto exchange of $280 million.

AccessTimeIconNov 13, 2020 at 6:30 p.m. UTC
Updated May 9, 2023 at 3:13 a.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

The latest face-saving communique from Seychelles-domiciled crypto exchange KuCoin – hacked almost two months ago for over $280 million – is that 84% of the affected assets have been recovered. Some victims will be glad the situation seems to be moving towards resolution. Others, not so much.

Leaving aside the conspiracy theories, death threats and alleged lack of communication on the part of the exchange, the KuCoin debacle raises troubling issues around blockchain decentralization and how token projects often rely on fallible intermediaries.

  • Lido Gearing Up For Ethereum's Upcoming Shanghai Upgrade
    06:53
    Lido Gearing Up For Ethereum's Upcoming Shanghai Upgrade
  • Rebuilding Trust in Crypto After FTX Collapse
    11:08
    Rebuilding Trust in Crypto After FTX Collapse
  • The Case for DeFi Amid FTX Fallout
    07:09
    The Case for DeFi Amid FTX Fallout
  • Sam Bankman-Fried Suggests Bounty Cap for White Hat Hackers
    05:05
    Sam Bankman-Fried Suggests Bounty Cap for White Hat Hackers
  • Following the hack, many projects whose tokens were stolen from the exchange were urged to react quickly and change their smart contracts – effectively replacing stolen tokens with new versions, known as a token swap. (A list of projects that speedily updated their tokens following the Sept. 26 hack can be found here.)

    The majority of ERC-20 projects affected by the KuCoin hack (around 60%) have bowed to pressure and upgraded their tokens. While it goes against the principles of those projects to essentially cover KuCoin’s back by updating their smart contracts or replacing their tokens, they chose the easiest solution available to them. But in some cases, it’s not a straightforward process and would lead to a very messy fix.

    “We consciously built our smart contract in a way that’s truly decentralized and we, as a team, can’t just halt transactions, blacklist, whitelist people and so on,” said Paul Claudius, co-founder of DIA, a crowd-driven Wikipedia for financial data and information. “As a team, we obviously trust ourselves, but we don’t think the world should have to trust us. And that’s the reason we build our smart contracts that way.”

    KuCoin calls all remediating efforts “token swaps,” said Claudius, but the exchange is confusing two different things. 

    In some cases, it’s possible to upgrade the contract, reissue the token and create a blockchain state similar to that prior to the hack. That’s very different from a situation where reissuing the token would create two tokens.

    “Then it’s like a fork,” said Claudius. “Which is the real token at the end? People would be trading the old token, not knowing this. It’s just not an option.”

    In the case of DIA, some 3 million tokens were taken by the hacker, at a value of around $4 million; while this amount was not “life-threatening,” the team members had to watch powerless as the hacker sold their tokens. 

    “I can see why projects who had, say, 50% of their tokens affected by the hack, would choose the option to basically just pull the plug,” Claudius said. “Their backs were against the wall.”

    The DMM Foundation, the organization behind Decentralized Money Market, said KuCoin’s strategy has been to switch the onus onto the decentralized governance communities behind these projects, pressuring them to swap tokens, effectively crediting KuCoin’s balance.

    “This leaves the community in an uproar, asking why we are not upgrading our token, when in fact it shouldn’t be our responsibility; it’s actually KuCoin’s problem,” a member of DMM, who wanted to remain nameless, told CoinDesk, adding:

    “We are a DeFi protocol. We can’t do that so easily without completely disrupting our user base and potentially exposing areas of weakness for our community.” 

    Token quandary 

    It’s one of the paradoxes at the heart of crypto, that decentralized projects list on centralized exchanges and must rely on centralized custody as a potential point of failure. 

    Of course, that’s why decentralized exchanges (DEXs) are becoming increasingly popular as technological advances bring speed (and, in turn, attract liquidity for prominent tokens). For some smaller projects, though, listing on KuCoin is a big deal. Perhaps it is their only trading venue with significant liquidity. So what are they going to do?

    There are a number of projects that are holding out from doing a token swap, and KuCoin’s strategy seems to be to wait until they all eventually fold. During this waiting game, the exchange has employed some egregious tactics, said Jag Singh, CEO of Vid, a project that delisted from KuCoin before the hack took place. 

    “We delisted from KuCoin because we noticed a lot of suspicious stuff going on with our token price – pumps and dumps – that we concluded could only be [caused by] the exchange itself,” said Singh. “This [delisting] meant they had less leverage over us.”

    Like many others affected by the hack, Singh claims KuCoin is selling phantom tokens. If the entire balance of a token was stolen by the hacker and that project has not done a token swap, KuCoin is “trading on thin air,” Singh said. He claims this is a deliberate tactic to induce token swaps and reduce the amount the exchange has to reimburse.

    CoinDesk asked KuCoin for comment, to which the exchange asked for questions to be emailed. There has been no response to the questions but a KuCoin representative did share some comments from KuCoin CEO Johnny Lyu comparing the hack to events like the Ethereum DAO compromise of 2016.

    “Actually, in the history of crypto, token swap or hard fork situations emerged several times among Bitcoin and Ethereum communities at critical timings,” Lyu said in a live-streamed update on Sept. 30. “With that, communities survived from serious crises, and everyone felt thankful to those teams that made contributions.”

    The irony and hypocrisy of such comparisons is stunning, said Richard Sanders, founder of blockchain analytics company CipherBlade.

    “The important thing is that we’re dealing with decentralized tech,” said Sanders. “So setting a precedent every single time an exchange is hacked or somebody is negligent for some centralized action goes against the very foundation of what this technology is supposed to be about. Everything KuCoin is doing really boils down to them trying to save face.”

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.