KuCoin hack turns Uniswap into crypto laundromat

KuCoin hack teaches us a couple of costly lessons about the decentralized finance (DeFi) industry. Some of them may become a revelation for investors.

KuCoin's story: the summary

On 25 September, an unknown hacker exploited the vulnerability of the Asia-based cryptocurrency exchange KuCoin and drained its hot wallets of $281 million in cryptocurrency assets. The episode has become the third-largest theft in the history of cryptocurrency trading platforms. 

The bad guys got away with a variety of assets, including Bitcoins, Litecoin and XRP. However, ERC-20 tokens accounted for over half of the loot. 

The composition of the assets stolen from KuCoin

Source: www.elliptic.co

Lesson 1: Centralized exchanges turned into a dead end

According to the data provided by Elliptic's research, the service that enables detecting and investigating risky crypto transactions, hackers attempted to sell the stolen assets on the regular exchanges. However, this route was blocked within minutes after the hack. All major trading platforms are equipped with the tools to identify where the assets originated from and freeze any accounts receiving such funds. 

Centralized cryptocurrency exchanges are very cooperative and tend to prevent the money laundering through their accounts. Moreover, some of the largest trading platforms cooperate with the authorities, providing them with tools to analyze blockchains and monitor suspicious activity.  

Thus Coinbase reportedly has dealt with various US authorities, including the Drug Enforcement Administration (DEA) and the Internal Revenue Service (IRS). The cryptocurrency exchange provides a cryptocurrency investigation tool called "Coinbase Analytics."

Lesson 2: DEXs turned into crypto laundromats 

Meanwhile, decentralized exchanges (DEXs) provided hackers with another option to bypass the anti-money laundering procedures and cash out the stolen assets. 

Unlike the centralized counterparts, DEXs are governed by smart contracts, meaning that there is no intermediary or centralized authority between the participants of the trade. 

This circumstance has a couple of consequences. First, the participants stay anonymous as they do not have to disclose their identities and go through know-your-customer (KYC) processes. Second, there is no one to freeze the account to seize the funds as everything is processed automatically, based on the rules of the smart contract. 

 KuCoin thief benefitted from the explosive growth of decentralized exchange activity on Ethereum and began selling the stolen ERC-20 tokens on these platforms without risk of being frozen.

DEXs involved in laundering funds stole from KuCoin

Source: www.elliptic.co

As the chart above shows, the hacker focused on four DEXs, Uniswap, Kyber Network, DEX.AG and Tokenlon, and laundered about $13.3 million in coins by the time of writing. Uniswap accounts for the lion's share of this activity. 

While Elliptic claims that its blockchain monitoring solutions can trace the funds on DEXs, there is still no way to block the transactions that involve the funds originated from the hack.  

Lesson 3: Decentralization can be falsified

Several projects introduced the measure to lock the funds stolen by the hacker. That's what Tether did, which is hardly surprising for the community. However, several projects that deemed to be decentralized pursued a similar strategy,

For example, Ampleforth (AMPL) and Ocean Protocol (OCEAN) also took decisive action against KuCoin's bad guy. 

Ocean Protocol team performed a hard fork from a few blocks before the hack to roll back the transactions. A new chain will become the main for the protocol. Basically, Ocean Protocol opted for the Ethereum's approach to the DAO hack. Read our in-depth story of what happened next.

Ampleforth team tweaked their smart contract to block the hacker's address from moving their AMPL. While this solution may look less drastic, it reveals the lack of decentralization and opens up the way to censorship. Unlike the Ocean, where users can opt for the old chain and follow the suit of Etthereum Classic, Ampleforth changed the contract unilaterally and gave the community no choice. 

Kardiachain, Orion Protocol, and Aleph all have taken similar steps showing their real centralized face.