The latest face-saving communique from Seychelles-domiciled crypto transfer KuCoin – hacked almost two months ago for over $280 million – is that 84% of the affected assets have been mended. Some victims will be glad the situation seems to be moving towards resolution. Others, not so much.
Leaving aside the intrigue theories, death threats and alleged lack of communication on the part of the exchange, the KuCoin debacle raises troubling issues yon blockchain decentralization and how token projects often rely on fallible intermediaries.
Following the hack, many projects whose signs were stolen from the exchange were urged to react quickly and change their smart contracts – effectively restoring stolen tokens with new versions, known as a token swap. (A list of projects that speedily updated their reminders following the Sept. 26 hack can be found here.)
The majority of ERC-20 projects affected by the KuCoin hack (about 60%) have bowed to pressure and upgraded their tokens. While it goes against the principles of those think ups to essentially cover KuCoin’s back by updating their smart contracts or replacing their tokens, they chose the easiest compound available to them. But in some cases, it’s not a straightforward process and would lead to a very messy fix.
Read more: KuCoin CEO Pronounces Suspects in $281M Hack Identified; Authorities on the Case
“We consciously built our smart contract in a way that’s truly decentralized and we, as a conspire, can’t just halt transactions, blacklist, whitelist people and so on,” said Paul Claudius, co-founder of DIA, a crowd-driven Wikipedia for pecuniary data and information. “As a team, we obviously trust ourselves, but we don’t think the world should have to trust us. And that’s the rationality we build our smart contracts that way.”
KuCoin calls all remediating efforts “token swaps,” said Claudius, but the swap is confusing two different things.
In some cases, it’s possible to upgrade the contract, reissue the token and create a blockchain circumstances similar to that prior to the hack. That’s very different from a situation where reissuing the token command create two tokens.
“Then it’s like a fork,” said Claudius. “Which is the real token at the end? People would be buying the old token, not knowing this. It’s just not an option.”
In the case of DIA, some 3 million tokens were taken by the hacker, at a value of on all sides of $4 million; while this amount was not “life-threatening,” the team members had to watch powerless as the hacker sold their slights.
“I can see why projects who had, say, 50% of their tokens affected by the hack, would choose the option to basically just pull the quid,” Claudius said. “Their backs were against the wall.”
Read more: Decentralized Governance in the Wild – Admonitions From the KuCoin Hack
The DMM Foundation, the organization behind Decentralized Money Market, said KuCoin’s strategy has been to turn the onus onto the decentralized governance communities behind these projects, pressuring them to swap tokens, effectively crediting KuCoin’s estimate.
“This leaves the community in an uproar, asking why we are not upgrading our token, when in fact it shouldn’t be our responsibility; it’s actually KuCoin’s unruly,” a member of DMM, who wanted to remain nameless, told CoinDesk, adding:
“We are a DeFi protocol. We can’t do that so easily without in toto disrupting our user base and potentially exposing areas of weakness for our community.”
Token quandary
It’s one of the paradoxes at the heart of crypto, that decentralized engagements list on centralized exchanges and must rely on centralized custody as a potential point of failure.
Of course, that’s why decentralized barters (DEXs) are becoming increasingly popular as technological advances bring speed (and, in turn, attract liquidity for prominent symbols). For some smaller projects, though, listing on KuCoin is a big deal. Perhaps it is their only trading venue with relevant liquidity. So what are they going to do?
Read more: Ocean Protocol Forks to Retrieve Tokens Stolen From KuCoin The Market
There are a number of projects that are holding out from doing a token swap, and KuCoin’s strategy seems to be to intermission until they all eventually fold. During this waiting game, the exchange has employed some egregious moves, said Jag Singh, CEO of Vid, a project that delisted from KuCoin before the hack took place.
“We delisted from KuCoin because we take notice ofed a lot of suspicious stuff going on with our token price – pumps and dumps – that we concluded could only be [caused by] the trade itself,” said Singh. “This [delisting] meant they had less leverage over us.”
Like many others studied by the hack, Singh claims KuCoin is selling phantom tokens. If the entire balance of a token was stolen by the hacker and that enterprise has not done a token swap, KuCoin is “trading on thin air,” Singh said. He claims this is a deliberate tactic to give rise to token swaps and reduce the amount the exchange has to reimburse.
CoinDesk asked KuCoin for comment, to which the exchange provoke b requested for questions to be emailed. There has been no response to the questions but a KuCoin representative did share some comments from KuCoin CEO Johnny Lyu comparing the overworked to events like the Ethereum DAO compromise of 2016.
“Actually, in the history of crypto, token swap or hard fork situations issued several times among Bitcoin and Ethereum communities at critical timings,” Lyu said in a live-streamed update on Sept. 30. “With that, communities continued from serious crises, and everyone felt thankful to those teams that made contributions.”
The irony and insincerity of such comparisons is stunning, said Richard Sanders, founder of blockchain analytics company CipherBlade.
“The important ide fixe is that we’re dealing with decentralized tech,” said Sanders. “So setting a precedent every single time an swap is hacked or somebody is negligent for some centralized action goes against the very foundation of what this technology is expected to be about. Everything KuCoin is doing really boils down to them trying to save face.”