The Butterfly Effect: How an Exchange Hack Led to the Centralization and Censorship of Decentralized Projects
In late September 2020, the KuCoin exchange was hacked for over $250 million. Even though cryptocurrencies are supposed to be decentralized, many affected projects have begun to freeze or roll back stolen funds. This has led some to argue that these cryptocurrencies are more centralized than they appear.
On September 26, 2020, the centralized exchange KuCoin announced in a blog post that they had detected withdrawals out of their hot wallets. The hack resulted in a loss of $281 million in funds in many different cryptocurrencies, including Bitcoin, Ethereum, XRP, and plenty of ERC20 tokens. Though a devastating loss, KuCoin was quick to respond, and promised users that their funds would be reimbursed through their insurance fund. They also worked with other exchanges, such as Binance, Huobi, and Crypto.com, to blacklist all of the addresses associated with the hack so the hacker would be unable to exchange any of their stolen cryptocurrencies. Then, on October 3, CEO Johnny Lyu announced that the authorities have found a suspect of the hack. The result of this investigation is ongoing, but it appears that KuCoin have successfully prevented the hack from destroying their exchange, which is a far-too-common occurrence in the cryptocurrency space.
Even though the users will get their funds back and it appears that the hacker has been found, his actions have caused irreversible effects to the cryptocurrency space. For example, the exchanges that blacklisted the addresses associated with the hack have spread concerns that they are centralizing the space and creating censorship. What’s to stop these exchanges from one day preventing users that used their addresses to donate to a particular political campaign from using their service? These concerns about censorship in the space have led many users to look to decentralized exchanges as an alternative, as they are unable to blacklist addresses. As a matter of fact, this is exactly what the hacker did, as he used decentralized exchanges Uniswap and Kyber to launder his funds in a complicated manner in order to throw off authorities. Since these exchanges are decentralized, they do not require any identity verification requirements, so anyone can use them for any purpose, including laundering ill-gotten gains.
Though some privacy advocates may see the hacker’s actions as proof that decentralized exchanges are a more privacy-focused alternative than their centralized counterparts, many others have expressed concern at the lack of regulation and the public perception of these exchanges. Much like how Bitcoin in the early 2010s was classified as a “currency for buying drugs” due to the proliferation of websites such as the Silk Road using it as their primary means of exchange, people will begin to see decentralized exchanges in an analogous manner, as a “Wild West” of cryptocurrency trading where nothing is regulated. What action regulators may take is unknown to anyone, but regulation of any sort would be detrimental to a decentralized exchange, and there is a chance these exchanges would be required to fully shut down. This sort of action would completely destroy the budding DeFi movement and change the public perception of decentralized exchanges for the coming years.
This highlights the complex relationship between CeFi and DeFi exchanges. In this instance, CeFi appears to be the more regulated option, which has insurance and features in place to ensure that only verified users can exchange cryptocurrencies and be a part of this global financial movement. On the other hand, DeFi looks like an unregulated and unmonitored anarchy zone where anyone, including hackers and terrorists, can launder money without any repercussions. However, it is not that simple: CeFi also now appears to be weak, and easily able to be hacked. Nobody wants to put their money somewhere where it can easily be stolen, and this hack has broken the trust of many users who keep their funds in their exchange wallets. Decentralized Finance and its trustless nature appear ideal for keeping funds in the hands of their owners, with the only risk of hacking being the risk that the wallet owner leaks their own private keys. Depending on the person and their comfort level with cryptocurrency, this hack either solidified their stance on CeFi being the right place to store their money, or encouraged them to only use DeFi in the future.
The most controversial and centralized move made by affected cryptocurrency projects was to freeze or reissue their currency. One example is Tether, who froze twenty two million USDT inside EOS and Etheruem wallets used by the hacker. Tether is inherently centralized, as they hold all of their pegged USD in a bank, thus requiring the user to trust that they back up their funds 1:1. Nonetheless, this type of behavior causes concerns about what other reasons Tether would use to censor users from making transactions. Other projects, such as NOIA Network, Orion, and Silent Notary have created completely new ERC20 tokens and have issued them at the block before the hacks took place. This behavior from decentralized projects has confused many, as they are essentially rolling back any transactions that took place after that block number. Justifying the decentralization of these projects is difficult if they have the ability to reissue funds and censor their own token from being used. A lack of censorship is one of the key characteristics of a decentralized currency, and without it, the entire network is put in the hands of a few people, the developers. Other projects that did not do a token swap have frozen their affected tokens and plan to reissue new ones, another solution that is incredibly centralized and controversial.
If any project can simply reissue their funds at any time, what is the value proposition for these currencies? Many people would not buy shares in a company if they knew that the company could invalidate their shares at any time and for any reason. These projects did not even hold a community vote to decide the fate of their network, but instead committed to their actions without any accountability. Even though the hack was not their fault by any means, and all of the blame should be on KuCoin, many argue that the irreversibility and immutability of cryptocurrency has no exceptions. This event has set a precedent that these cryptocurrencies can be controlled by a few people, which will most definitely get the attention of regulators everywhere.
As easy as it would be to call this the beginning of the end for every cryptocurrency that exhibited centralized behavior, it is not that simple. A lot of the projects that were affected are still in development, and thus have full control over their project. If they did not have control, they would not be able to continue to develop their project, and would have to rely on the time-consuming and complicated community governance decisions, which would stifle innovation. Furthermore, a lot of those projects have incredibly small market caps (at the time of the hack Silent Notary had a $100,000 market cap, Orion had $19 million) and any sort of large trade can significantly influence the price. If the hacker was able to sell their tokens, it would have tanked the price, and the projects may never have been able to recover. The projects consider the freezes and swaps a necessary evil which will allow them to eventually complete and decentralize their projects. We simply cannot expect these projects to deliver all of their goals while they are still very early in their development. A good example of a project that has delivered their project and decentralization is Uniswap. First, they created a world-class decentralized exchange, but allowed themselves total control over the governance to ensure that any unexpected glitches or bugs could be dealt with appropriately, and so they could easily add in any new features. Then, they released their governance token, UNI, to users of the platform, and allowed the community to have control over the future of the project.
Another consideration these projects had to consider was the ethics of their actions. They knew the hacker had malicious intent and stole funds from users, could they stand idly by and let him get away with it if they had the power to stop him? The argument can be made that these decisions should not be made by project developers, as they created a project with the intention to not regulate user transactions but find themselves doing the regulating. However, when the success of their project is on the line, they did what they had to to ensure their developer fund and token would not become worthless.
Even though this seems like an unprecedented situation, Ethereum went through a similar controversy in 2016 after the DAO hack. This hack allowed someone to exploit a bug found in a smart contract worth $150 million.
Due to a bug, a hacker was able to hack the smart contract and drain all of the funds. Investors were panicked, and the future of Ethereum was uncertain. If the hacker decided to sell their stolen ETH, it would tank the price of Ethereum, and the Ethereum Foundation, whose funds were held majority in ETH, would have trouble continuing to fund the development process.
A hard fork was proposed by the founders of Ethereum, including Vitalik Buterin, which would return all of the funds to the users, and it would be as if the hack had never happened and the smart contract did not exist. As one might expect, this was an incredibly controversial decision, as many considered blockchains to be immutable, and the idea of rolling it back to a previous state seemed like a recipe for disaster and akin to bailing out banks. Nonetheless, Ethereum followed through with their decision, and it very well may have saved the project. Even though the majority of people supported Ethereum’s decision, there was a vocal minority who continued to support the original blockchain, which became known as Ethereum Classic. Vitalik still believes this was the correct move, as he has been quoted stating,
“When such a large fraction of the ecosystem is at stake, it’s worth rethinking things… A portion of the community did not download these ocde patches and implement the fork and they just said we will continue running our own, our old chain.”
Had it not been for the rollback, Ethereum very well may have faded into obscurity with the likes of MtGox, Cryptopia, and other cryptocurrency hacks. In fact, this is happening with Etheruem Classic right now, as they are getting 51% attacked frequently and their blockchain is stagnating in development. Due to the slight bit of centralized action on the part of the main development team, Ethereum has become stronger, more decentralized, and in a position to claim its title as the “world computer.”
For this reason alone, many of these projects can be forgiven for their centralized action. Even though it appears to be bad for the projects, it has saved many from becoming dead blockchains, and will hopefully lead to these projects one day becoming mainstream in the cryptocurrency space.
In order to prevent another hack and controversy again, both users, exchanges, and cryptocurrency projects need to work together to secure their platforms. All users should strongly consider buying a hardware wallet to store the majority of their funds, as this is the safest place to keep any amount of cryptocurrency. Exchanges need to implement stricter security standards and buy larger insurance plans in order to mitigate risk and loss potential. Finally, cryptocurrency projects should consider creating a governance system that tokenizes votes about the future of the platform. With these changes, cryptocurrency can take a step towards greater decentralization and democratization.