Protect and serve? The dilemma of reissuing lost or frozen DeFi tokens

DeFi apps attempt to return crypto funds affected by the KuCoin hack to users. Are they to blame for the issues?

The recent KuCoin exchange hack and ongoing OKEx incident, during which withdrawals have been frozen, have raised questions as to how blockchain projects with coins traded on exchanges should act when said exchanges are hacked or funds are stuck.

When it comes to projects such as Tron, which replaced tokens that were held by OKEx, such actions are to be expected because their work is based on a central governance model. However, are projects able to pause smart contracts or freeze tokens if they are truly decentralized?

Was all this legal?

Choosing a strategy to save users’ funds in a force-majeure situation can be a real dilemma for a project whose tokens are traded on crypto exchanges. Taking any action with funds that belong to other people is quite a responsibility, especially when it happens without these people’s prior consent.

The incidents that happened over the past month with KuCoin and OKEx — two major crypto exchanges — showed that different DeFi projects treat the security of user funds with varying degrees of responsibility. In response to the Sept. 26 hack of KuCoin, some projects froze funds, some implemented a hard fork, and others took a wait-and-see approach. Just a spoiler: All these measures effectively blacklisted the hackers’ stash of stolen tokens and helped users get their funds back, a step unprecedented for the industry. However, some people feel dislike that projects are making decisions without giving the community a choice.

Related: OKEx’s lips remain sealed on its sudden crypto withdrawal freeze

In an attempt to stop the KuCoin hackers from cashing out stolen assets, blockchain projects pushed measures to lock the affected tokens with a share of total supply varying from 10% to 40%. Velo, Orion, Noia and about 30 other projects in total restored access to transactions by implementing a token swap, according to KuCoin data. But in fact, these were not token swaps in the usual sense of the term, as the projects replaced user tokens with new ones.

Orion Protocol was one of the first projects to respond to the announcement of the KuCoin hack. In an attempt to save 38 million tokens affected by the incident, the project team decided to reissue ORN tokens one-to-one via a token swap the same day that the hack was announced. This step, according to the project’s founders, made the previous contract address and tokens obsolete. Alexey Koloskov, CEO of Orion, told Cointelegraph:

“With near immediate effect, the stolen ORN tokens were worthless and had little to no impact on the secondary market. We worked swiftly to update our smart contract address across official exchange listings and self-listing exchanges to ensure normal trading could resume as soon as possible.”

KardiaChain, another DeFi project affected by the KuCoin security breach, with a total amount of $10 million worth of KAI missing, also took the action of making the previous contract address obsolete and underwent a token swap to eliminate any risk of the stolen KAI tokens ever being sold on the secondary market. Astrid Dang, head of marketing and partnerships at KardiaChain, explained that as a result of this tactic, the hackers’ tokens become worthless, while all other KAI addresses were credited with the new KAI token on a new contract address.

Other projects such as Covesting opted for less drastic measures that did not “affect immutability or decentralization of the token itself.” Specifically, Covesting locked addresses selectively, leaving user funds intact.

There were also projects such as Synthetix and Compound that had users who were affected as a result of the KuCoin hack, but they did not fork their contracts or freeze wallets. Does this imply they are more decentralized than others? Maybe, but it’s worth noting that the stolen amount is relatively minor — less than 1% of the circulating supply.

All’s well that ends well

Did the projects have another choice? The question becomes especially acute when considering the matter of the urgency required in situations where there are large amounts of money at stake. The KuCoin hack shook the entire market, and many projects were faced with a choice: act or lose control of a significant part of their funds.

The share of stolen tokens for some projects reached 40% of the total supply, which means that an attacker could cause even more damage by manipulating the price of the coins. Koloskov, whose project Orion had 38% of its circulating ORN supply compromised, told Cointelegraph:

“In order to prevent the hacker profiting from the exploit at the expense of the ORN community, we were left with little choice but to execute a token swap. We took the executive decision to immediately pause trading, deposits, and withdrawals on KuCoin, while deposits were temporarily suspended across other official listing partners.”

Some projects could not avoid falling prices. Ocean Protocol’s OCEAN lost 8%, according to CoinGecko, when the hackers sold the stolen tokens in batches of 10,000 coins. In an attempt to prevent coin prices from falling further, the project initiated a hard fork of the contract to reverse the hack for anyone choosing to adopt the new version of the contract.

Was it an action contradicting blockchain immutability? The answer is, possibly, both yes and no. On the one hand, if a project can roll back a smart contract to its previous state, then it can do it at any time to manipulate user funds. On the other hand, if the Ethereum team had not implemented its famous hard fork after the hack of The DAO in 2016, its users would not have gotten back $16 million.

Related: KuCoin hack unpacked: More crypto possibly stolen than first feared

For many projects, such as KardiaChain, KuCoin was the main market bringing liquidity to their investors and serving their users, and therefore, they could not allow the bulk of the funds to fall into the fraudsters’ hands. KardiaChain’s Dang said that a token swap might not have been the ideal response to a hack, but the KuCoin hack was particularly special and unique in its own way, as someone knew the private key and gained complete control. He added:

“In fact, we hesitated but when we saw the transaction where the hackers tested transferring 10,000 KAI away, we decided to pause the old smart contract. If that amount is all 524 million KAI, we would feel regretful forever.”

The community’s verdict

It may seem that a token swap can happen because projects control ERC-20 tokens on the Ethereum network. But the projects cannot control the network’s validators, so the projects need a voting session to revert the malicious attacks — that is how decentralization and blockchain work.

In response to the KuCoin hack, some projects took measures immediately, claiming they did not have any time to wait, while others asked their users for input. Judging by Twitter posts, the majority of the community supported protective actions, although there was a fair share of criticism. Koloskov explained that Orion’s initiative to implement its token swap was suggested by users:

“When the first project on Kucoin responded by token swap, Orion Protocol, our community quoted the link and suggested we do it the same way. In fact, Kucoin has been smart in coming up with this tactic and we were all in talks to take the action. Some of the projects did witness the loss when responding slowly.”

Domantas Jaskunas, the co-founder of Noia, also claimed that his project received “overwhelming support” for the solution, saying that “The alternative simply wasn’t an option.” Speaking with Cointelegraph, he added:

“Given the size of the hack, everyone including those who hold their NOIA tokens off exchanges would have been severely affected in a negative way.”

Kardiachain’s Dang noted that the KuCoin hack is a one-off, one-of-a-kind situation, and it is very rare that so many affected projects and exchanges agree on a token swap, which is unprecedented: “We can see it’s not always that we have that kind of support in this crypto world.”

The indicative situation

As of this writing, KuCoin has resumed the full service of 130 tokens on the platform. Meanwhile, crypto traders are still waiting for withdrawals to reopen on OKEx. It seems that the crypto community has not been this united since the hack of The DAO. Only the successful cooperation between exchanges and projects made the swift identification of the hacker possible and avoided even greater losses.

The available evidence suggests that it would not have been possible to quickly solve the problem without interfering with the structure of the blockchain. However, in the future, projects and users will likely be able to come to a consensus on resolving issues around the security of funds in the case of force-majeure situations. Initiatives such as the Safeguard program offered by KuCoin for supporting institutions and users affected by security incidents may make this process smoother and more transparent for the whole industry.