KuCoin’s stolen funds flow into Uniswap, exacerbating CEX security challenges

Editor's Note: This article comes fromHoneycomb Finance News (ID: fengchao-caijing), Author: asked, reproduced by Odaily with authorization.

Editor's Note: This article comes from

Honeycomb Finance News (ID: fengchao-caijing)

Honeycomb Finance News (ID: fengchao-caijing)

, Author: asked, reproduced by Odaily with authorization.

As of 0:00 a.m. today, the three ERC-20 asset projects OCEAN, ORN, and KAI affected by the theft of the KuCoin exchange have all been upgraded, and ORN and KAI have been exchanged on KuCoin.

Two days ago, that is, in the early morning of September 26, KuCoin announced that multiple large and abnormal withdrawals made them discover that the Bitcoin and ERC-20 tokens in some hot wallets of the exchange were transferred out. The announcement confirmed that "KuCoin was stolen".

Afterwards, KuCoin CEO Johnny Lyu responded in a live video that the crisis was caused by the private key of the hot wallet being leaked and used by hackers. After the incident, he began to transfer the stock funds in the hot wallet to the cold wallet. is an extremely small amount” and has sufficient risk reserves to bear.

Soon, external media based on the statistics of transfer records on the chain, this time KuCoin worth 150 million US dollars of assets were transferred out. Yesterday, KuCoin responded to Honeycomb Finance that when hackers transferred out KuCoin assets on a large scale, KuCoin’s wallet team was also transferring assets out for “safety avoidance”. Most of the affected assets come from ERC-20 tokens, and the value evaluation is still in progress and will be announced after confirmation.

At the moment when DeFi is popular in the currency circle, after the theft of CEX, the DEX application that does not require KYC and can be traded freely has opened a convenient door for hackers to sell stolen goods. In the process of fundraising after the event, the centralized exchange not only needs to contact friends and merchants to cooperate, but even the protocol on the chain must be alert at any time to deal with sudden accidents. Security challenges for CEXs are intensifying.

secondary title

Three kinds of stolen assets flowed into Uniswap project party busy forking

At 0:00 am today, the Ocean Protocol Foundation, which was affected by the theft of KuCoin, stated that as part of the stolen assets of KuCoin, more than 21 million OCEAN assets were stolen, with a market value of more than 8.6 million U.S. dollars. "The hacker Now trying to liquidate the ill-gotten wealth", the foundation is initiating a hard fork of the protocol and has deployed a new version of the smart contract, the balance of the stolen tokens will be allocated to an address, which will be hosted in Singapore people.

The ill-gotten gains that hackers are trying to dispose of don't just include OCEAN.

On September 27th, the blockchain security agency Beijing Lianan found that as of 5:00 p.m. Beijing time, the ERC20 tokens stolen from KuCoin Exchange had made a profit of about 266 ETH through Uniswap transactions, and the addresses involved were mainly transferred out of OCEAN , ORN, and KAI are three ERC20 tokens, and OCEAN has been traded through Uniswap.

Since then, the project parties of the two assets of ORN and KAI are also upgrading the agreement, in this way, the hacker’s subsequent sale of stolen goods will be invalid.

With the cooperation of several exchanges and the implicated asset project parties, KuCoin managed to control the theft that happened 2 days ago to a certain extent.

According to KuCoin CEO Johnny Lyu, at 2:51 a.m. on September 26, they found in the risk alarm of multiple large-value transfers that there was an outflow of funds from the hot wallet storing some Bitcoin and Ethereum ERC-20 assets. After shutting down the wallet server failed to completely prevent the abnormal situation, they determined that the private key of the hot wallet was leaked.

More than an hour later, the KuCoin Wallet team transferred the funds from the hot wallet to the cold wallet. At the same time, they contacted 19 exchanges to block related withdrawals, and called the police in many countries.

According to KuCoin’s constantly updated announcements, the suspicious addresses they count include 1 Ethereum address, 3 Bitcoin addresses, and 6 addresses corresponding to 6 assets including LTC, XRP, BCHSV, XLM, USDT, and TRX.

image description

After the incident, KuCoin suspended the trading pairs or deposit and withdrawal services of KAI, COV, ORN, NOIA, PLT, ALEPH, TRAC, BEPRO and other assets.

As of now, KuCoin officials have not disclosed the total value of the lost assets caused by the theft. However, on September 27, according to media statistics based on on-chain transfer records, 150 million USD in assets was transferred out of KuCoin.

In this regard, KuCoin told Honeycomb Finance that when hackers transferred out KuCoin assets on a large scale, the exchange’s internal wallet team was also transferring out assets to avoid risks. “For example, among the 35 million USDT that has been frozen by Tether and Bitfinex, 13 million were transferred out by the KuCoin wallet team, and 22 million were transferred out by hackers. Accordingly, KuCoin has not announced the actual amount involved in the case, and the value evaluation is still in progress. KuCoin will announce the specific tokens after confirmation and amount."

KuCoin has publicly stated that if any user suffers losses in this incident, all losses will be fully borne by KuCoin and the insurance fund. So, how many users and their assets were affected? KuCoin said, “We are still investigating how specific users are affected. We also maintain communication with users through 24-hour online customer service on the official website, Twitter, and Telegram.”

secondary title

There have been 17 safety accidents in CEX this year

After KuCoin was stolen, there are still many questions that have not yet been solved, including how did the private key of KuCoin’s hot wallet be leaked? Is it a problem with internal personnel management, or a problem with the wallet custody mechanism?

After DeFi brought the enlightenment of decentralized applications, DEX has been expected to become a revolutionist of CEX. Now, the theft of KuCoin, which has always flaunted its weight in overseas markets, has once again exposed the security risks of CEX’s centralized asset management model. . What's more troublesome is that Uniswap, the representative of the DEX industry, has become a place for hackers to transfer ill-gotten wealth because of features such as anonymous transactions and no need for permission.

In fact, whether it is the security accidents of the DeFi protocol or the various risks of CEX, there are not many occurrences this year. It’s just that the hustle and bustle of liquidity mining seems to have made participants in all sectors of the market relax their vigilance. The illusory prosperity of the market has covered up the security risks that should be kept in mind at all times.

According to the statistics of the blockchain security organization PeckShield, since February this year, the security incidents of the DeFi protocol have never stopped. From February to August, a total of 30 security incidents occurred in the DeFi field; during the same period, 17 incidents occurred in the center Among them, there have been at least 5 security incidents like KuCoin due to wallet private key theft, hacking, and asset theft.

On February 10 this year, the server where the hot wallet private key was stored on the Altsbit exchange was hacked, and the private key of the hot wallet was stolen, resulting in the loss of user assets; only 7 days later, the VBITEX trading platform issued an announcement saying that it was hacked, resulting in malicious tampering of platform data , Virtual assets are stolen.

On April 9, the cryptocurrency exchange Bisq was stolen. Attackers exploited a flaw in the Bisq transaction protocol to steal transaction funds for a single transaction. 7 victims lost a total of 3 BTC and 4,000 XMR.

On May 27, the LMEX Stock Exchange notified that the platform was hacked and stolen and lost 150,000 USDT, resulting in the platform's debts.

In July, British cryptocurrency exchange Cashaa said hackers stole more than 336 bitcoins from one of its wallets.