This article throws some light on the standing of centralised exchanges in this new decentralised paradigm. We highlight and explain our own experiences and material impact to ADD.xyz leading up to the hack at Kucoin for $280m. Also, this article makes a strong case for why centralised exchanges are losing credibility and why organic token value movement and the use of AMMs such as Uniswap will be the way forward, at least for the foreseeable future.
Unfortunately, we were informed at around 3:00 AM UTC by Kucoin’s business team that we needed to pause all transfers and blacklist a hackers address. The hacker in question has drained Kucoin’s hot wallet to a value of $280m US Dollars. 17,537,352 PLT tokens were transferred from Kucoin’s Hot Wallet to an attackers address in this incident.
Timeline of Events
On Sep-25–2020 06:54:27 PM UTC the KuCoin hacker stole 1,806,144.05 PLT tokens from KuCoin.
On Sep-25–2020 08:21:48 PM UTC the KuCoin hacker stole 14,951,867.12 PLT tokens from KuCoin.
On Sep-25–2020 09:05:30 PM UTC the KuCoin hacker stole 779,341 PLT tokens from KuCoin
(Note the time difference between the 1st, 2nd and 3rd transfer)
Our philosophy has always been to be part of a truly decentralized network of projects. We do not believe that centralised controls over tokens, such as burn/mint functions, pause and blacklisting, are something that the team will implement.
Insurance Funds in the space, for example Binance’s SAFU fund, are something normally promoted, supported and audited by cybersecurity firms. We were surprised to hear that Kucoin has an insurance fund, as such as never been revealed to the Add.xyz team contractually or otherwise. Kucoin’s losses appear to amount to 3:1 in relation to the funds left within their cold storage.
As such, it is our position that Kucoin should provide clear guidance and assurances as outlined in their statement, to project teams, users and liquidity providers with undertakings to provide projects with support regarding present and future losses
We’re doing a token swap..
- We don’t have a set date and time just yet for the token swap.
- Add.xyz will perform a token swap at an approximate block height of 10942620 (Approximate). A snapshot of the chain will be taken. All transfers after this block will be invalidated.
- All users to stop trading on CEX, DEX and any platforms until the Token Swap operation has been completed. We have informed exchanges to cease trading until the token swap operation has completed.
- 17,537,352 tokens (Stolen Token Balance) will be locked into a fund for affected persons until further clarifications and assurances made by the Kucoin for costs beared by the project.
- PLT to be renamed to ADD.
- Immediate Liquidity Program to be launched on Uniswap.
Important note: Add.xyx has no power to compel exchanges, wallets, and information services to point their services to, or recognise the new contract address. Therefore, it may take several days, and in some cases longer than that, for third parties to decide whether they wish to recognise the new token smart contract address for ADD.
KuCoin bears all liability and responsibility in this hack to reimburse their users, as stated in their public announcements and warranties. Add.xyx urges KuCoin to give clear and transparent information on exactly how and when they are going to make their users, listed projects such as Add.xyx, and other stakeholders whole.
Further information required from Kucoin:
- International and Domestic Police Report Number (Chengdu authorities)
- Cooperation and liaison regarding information on the hack/hacker.
- List and timestamps of all hacked funds across multiple chains/tokens.
- Statement on why the wallets were not swiped daily.
- Full statement on balances lost and held by Kucoin and financial statement signed by auditors.
- Statement on the status of our liquidity that was locked in Kucoin for over 1 week.
- Statement on Insurance fund covering projects, users and liquidity providers losses.
- Signed legal guarantees that their users will receive tokens.
Tokens lost via Hack
Tokens that were stolen in the KuCoin hack will be stored in a new, public address and disclosed as soon as the swap is complete. If you were affected by this hack, we advise you to stay tuned to our Telegram announcement channel and to keep updated on this.
New Smart Contracts and Audits
We’re launching a new smart contract and for precautions we need to carry out an audit. The team will consider further additions to the smart contract such as pause and blacklist functions which could exist for a set amount of time before a full governance system is introduced removing centralised control.
Remove Liquidity from Uniswap
We’re requesting that all liquidity providers on Uniswap withdraw from the pool.
Signed: The Add.xyx Team
Follow Add.xyz on Twitter, Telegram, LinkedIn, & subscribe to our Newsletter for project updates and announcements. Chat directly with other developers on Telegram.
