Crypto exchanges frequently experience multiple hacking attempts and, unfortunately, their security systems occasionally become vulnerable to an attack. Recently, on 26 September 2020 KuCoin had a leakage of the private keys of its hot wallets resulting cryptocurrencies (BTC, ETH) and tokens (ERC-20 and others) in the total amount over $200 million being withdrawn by hackers out of the exchange. Given the adage a crypto owner should remember: “not your keys — not your money”, any such hack would mean that the successful attacker would take all the benefits of the stolen crypto assets, whereas the rightful owners would never get their investments back. However, with an increasing number of fraudulent activities and scams, large crypto custodial organizations, together with many crypto projects, have implemented some emergency measures to respond to hacks and manage the aftermath. Thus, according to KuCoin, all funds of the users, affected by the hack of 26/09/2020, will be covered completely. Below, we will consider which actions, including precautionary measures, are undertaken by crypto organizations to ensure their users’ crypto assets remain safe and to rectify the damage caused by security breaches.
Taint tracing
Block explorers may tag a particular wallet address as tainted, i.e. being associated with scamming, hacking or other criminal activities, whereas the coins stored in that address also become tainted. For example, on Etherscan we can see tainted addresses labelled with a “red shield” icon and any flow of funds from these addresses is traced up to the latest block. The purpose of taint tracing is to make available this information to the public and to allow crypto users to make well-considered decisions before accepting the funds.
Tainted coins from a hacker’s wallet can further pass through many different wallets of good faith acquirers, but still, these coins for perpetuity may be deemed to be ‘dirty’ and linked with criminal activities.
Nowadays, crypto exchanges use security software to determine whether the cryptocurrencies and tokens they receive are tainted and can refuse to accept such coins or even to freeze them. In particular, in 2019 Binance froze tokens sent to its wallet from addresses allegedly to be related to the hack of Cryptopia (a New Zealand crypto exchange that subsequently went into liquidation). After the KuCoin hack, a handful of crypto exchanges have also been working in close cooperation to blacklist suspicious addresses storing the stolen funds.
Tainting in blockchain has its positive effects as it puts more pressure on a scammer and complicates his further actions in relation to the misappropriated assets. Besides, as it is stated in the research from Princeton University, the blacklisting can complement the existing anti-money laundering measures by reducing reliance on pseudonymous accounts. But at the same time, tainting coins can become more trouble for an innocent, inexperienced crypto holder rather than a hacker, as the latter can smoothly bypass it (e.g., by mixers, crypto projects like ‘Incognito’, or by a number of “hops” of transactions after which coins are deemed to be clean).
CEXs’ Insurance for Digital Assets
To mitigate the risks associated with outside attacks, a number of large centralized exchanges have developed their insurance policies to provide coverage for their clients in case of security flaws. In this regard, we can observe two main trends.
To start with, some exchanges have obtained insurance from large insurance brokerage firms to compensate for their potential losses. For instance, Bittrex holds an insurance policy covering up to $300 million in the case of an incident (whether external theft or internal collusion) on Bittrex’s internal cold storage custody platform. In its part, Coinbase insured up to $255 million for digital assets stored in online hot-storage wallets, which are 2% of all assets it possesses. The reasoning to cover hot wallets is that they are significantly more exposed to potential hacks.
Gemini has launched the world’s first captive company, Nakamoto Ltd., to insure crypto custody of its digital asset platform for up to $200 million. Gemini also maintains commercial crime insurance for digital assets held in their hot wallet, extending to cases of security breaches, fraudulent transfers, or employee thefts.
Further, setting aside the funds is another approach elected by some exchanges to protect their users’ funds. The more notable instance is Binance that created its own fund, a ‘Secure Asset Fund for Users’ (SAFU) in 2018. They allocate 10% of all trading fees received into this SAFU to protect their users’ interests in extreme cases such as hacks. It is interesting that along with SAFU, a popular crypto meme appeared: following the rumors that Binance’s security system had been compromised, Binance CEO, Changpeng Zhao, reassuring that their users’ funds were indeed safe in their accounts, tweeted: “Funds are safe”. Later, in response, the Bizonnaci YouTube channel released a mocking video titled “Funds Are Safu”. That video quickly spread across the community and the phrase “Funds are safu” became crypto slang.
Another example of the accumulation of own funds: Huobi announced that they would set up reserve funds in a total amount of 20,000 BTC (collected from a buyback program of Huobi tokens), used to compensate for losses in cases of security breaches.
After the hack, KuCoin also informed that all users’ funds lost as a result of the hack are covered by their insurance fund established in 2018.
As can be noted, the insurance funds of the exchanges extend only to emergency cases connected to flaws of exchanges’ security systems; they do not cover losses resulting from compromising personal security (like loss of login credentials).
Restitution
After the incident with the KuCoin’s hack several blockchain projects affected by the hack have been actively involved in reversing the negative effects of the hack by freezing, invalidating, swapping their tokens or otherwise restoring the situation preceding the hack. Eventually, this movement has become widespread, and these projects one way or another deactivated 65% of the funds stolen from the exchange.
For instance, Bitfinex and Tether froze a total of $33 million USDT (on the EOS and the Ethereum networks respectively); Covesting froze the 3.12 million COV tokens, Ocean Protocol initiated a hard fork of the Ocean Token contract with the effect of invalidating over $8.6 million worth of stolen tokens; KardiaChain and Orion completed a 1:1 token swap, annulling about $10.2 million and $9.5 million worth of their stolen tokens, respectively; VELO is to replace about $75.7 million affected tokens.
Reverse to the ‘status quo’ is a formerly known practice in the blockchain sector. In 2016, as a result of the infamous DAO’s collapse, the Ethereum community agreed to hard-fork the Ethereum blockchain in order to restore all funds lost to the original contract. This decision was controversial as it showed that the concept of a purportedly immutable blockchain ledger could be undermined and at that time even led to a break in Ethereum into two separate blockchains.
Since the KuCoin hack, this kind of dispute has arisen again. On the one hand, ‘crypto is about irreversibility and trustlessness’, and it can be put into question a fully decentralized nature of the blockchains over that the developers or an individual can exercise much control by, e.g., freezing their tokens. In relation to Bitcoin, a similar practice is unlikely to be achievable because it would require the consent of the majority of miners around the world as well as of the economic majority.
On the other hand, the performed restoration actions seem to be justified by a good reason — protection of crypto owners and stopping hackers in taking profits. Moreover, there was intense pressure from the aggrieved part of the community to return their funds that also fuelled the debate.
In reality, it is not easy to get the right balance between the pure idea of decentralization and real losses of thousand users. It is not inconceivable that the blockchain projects’ responses and the overall movement in the KuCoin hack’s aftermath can constitute a precedent for avoiding similar accidents in the future.
To sum up, in the crypto industry there have been developing rather considerable mechanisms, albeit some of them are controversial enough, to address different kinds of illegal activities. Their practical implication, which we were able to observe in the KuCoin’s case, was quick and efficient, although some part of the damages left to be uncovered — e.g., the KuCoin hackers managed to transfer thousands of dollars’ worth of Synthetix Network Token (SNX) to Uniswap. Anyway, in that case, the loss is taken by the exchange but not a private token owner. Hence, at a time when many small and medium-sized crypto exchanges do not offer any protection for their customers in case of emergencies (Google 2fa is used as a matter of course), the large exchanges, such as KuCoin, seem to start a new trend. So far, however, in crypto users’ protection schemes primary focus is likely given on more massive amounts, the magnitude of situations and public engagement; yet, at a personal level anyone should take care of his private keys on his own.
