$1.7 billion lost to hackers in 2021. Another $1.9billion within the first 9 months of 2022. The astonishing increase in DeFi exploits has prompted Crypto investors and some consumer advocates to demand that DeFi protocols shoulder more responsibility to protect token holders who fall victim.
Some groups are pushing for laws that would require DeFi protocols’ founders and employees to pay refunds to the victims of hacks. And others are proposing reforms that would transfer the liability of affected token holders to the founders of DeFi protocols.
This has led to yet another conundrum, adding to the long list of controversial debates in the nascent blockchain & cryptocurrency industry.
In this in-depth article, we’ll examine 4 major reasons why DeFi protocols should refrain from refunding hack victims. And we’ll also go one step further to recommend an efficient solution that completely protects DeFi investors from the negative impacts of these huge losses, without compromising the professional indemnity of DeFi protocol founders who are innovating in good faith.
TL:DR
- DeFi protocols have gained massive adoption over the last 2 years, but hacks and network exploits have emerged as major challenges.
- 76% of cyberattacks in 2021 occurred on DeFi protocols.
- Calls for DeFi protocols to refund users have been around as far back as 2017.
- The industry has beefed up security architecture through Smart Contract Audits & Bug Bounty programs. They have helped reduce the frequency of hacks, but the exploits still persist at a much higher scale of losses.
- DeFi Insurance protocols have recently emerged to offer a more sustainable solution to protect users & investors from catastrophic losses.
Should Blockchain Protocols Refund Users that Get Hacked?
When you hear someone say that, “Blockchain protocols should not refund hack victims”, you probably think, “that sounds cruel”. Right?
Well, before we address the elephant in the room, let’s take a short trip down the memory lane to explore some of the notable crypto-hack events that have occurred recently — where the protocols have promised to refund victims directly or indirectly and examine the outcome of those processes.
Notable Blockchain Protocols That Promised to Refund Hack Victims.
Calls for DeFi protocols to refund victims of hacks and exploits are as old as the DeFi industry itself. Since the infamous 850,000 BTC (approx. $3.1bn) hack that occurred on the Mt. Gox exchange, back in 2014, many blockchain protocols have made (or pretended to make) a series of efforts to refund users that suffered losses. – Sometimes through complex litigation, or in-house settlement proposals put forward by the team.
But how effective have these efforts been? How many users have been successfully reimbursed? Let’s take a look at a few notable events, then try to draw an objective conclusion.
(2014) Mt Gox Exchange — 850,000 BTC ($16.8 Billion) hack.
March 7, 2014 — Mark Karpelès, the CEO of what at the time, was the world’s biggest Bitcoin exchange, shocked the infant crypto world. He announced that the exchange had sought bankruptcy protection, saying that 850,000 of Bitcoins in its custody, worth $473 million at the time, and representing 7% of all Bitcoins in existence—had somehow disappeared.
“We had weaknesses in our system, and our bitcoins vanished. We’ve caused trouble and inconvenience to many people, and I feel deeply sorry for what has happened,” Karpeles said, speaking at a Tokyo press conference called to announce the company’s bankruptcy.
Kolin Burges, a cryptocurrency trader, protesting the loss of Mt. Gox’s Bitcoins.
Image Credit: Toru Hanai—Reuters.
Shortly after Mt Gox CEO made the announcement, a Japanese court ruled to pull the exchange out of bankruptcy, opening the door for at least $1 billion worth of cryptocurrency to be paid back to creditors i.e. the customers who fell victim to the hack.
Current status of Mt Gox Refund Process.
The Mt Gox exchange hack led to global clamor from customers and support groups, pushing for victims to be repaid. Two problems emerged. Only about 200,000 of the missing 850,000 were recovered. Meaning that nearly 75% of the Bitcoin assets belonging to the customers were lost forever. Secondly, there has been a long drawn out lawsuit that has now lasted nearly a decade.
In August 2022, the appointed Mt. Gox trustee, Nobuaki Kobayashi released a statement, notifying creditors about the latest claims process.
Despite concerted legal efforts & protests, no Mt. Gox coins have been released to creditors till date. For context, a child born when the hack occurred would be old enough to go to high school today. And none of Binance, Coinbase, Ethereum, Solana even existed at the time.
(2018) Coincheck Exchange — 523m NEM Tokens (approx. $534m) losses.
The catastrophic Coincheck Exchange hack is another intriguing case study. In January 2018, the Japan-based exchange announced that it had suffered vicious exploits, which caused 260,000 customers to lose a total of 523m NEM tokens.
Koichiro Wada, president of Coincheck, during a news conference in 2018.
Image Credit: Bloomberg.
The exchange suspended trading after it was hacked on Jan. 26, resulting in a massive loss of 523m NEM coins, worth approximately $534 million at that time of the exploit. During a press release following the hack, exchange’s representatives revealed that the funds were stored on a single-signature hot wallet, which constituted a relatively low-security environment.
Almost instantly, on Jan. 27, the team announced that it will issue full refunds to all of the 260,000 users who fell victim to the hack.
Current status of the Coincheck Hack Refund Process.
Unlike the Mt.Gox hack, the Coincheck team did keep their promise and paid refunds to customers who fell victim to the hack. On March 13th, nearly 2 months after the hack, the Financial Times reported that Coincheck had issued refunds to investors and resumed trading. But not without two major complications.
Firstly, investors were undercut by nearly $100m. At the time of the hack, the prices of NEM tokens hovered around $1.03 per NEM Token. But the group only refunded victims at $0.82 apiece — effectively costing victims a whopping 20% loss.
“Although the amount paid out is less than the $534m value of the coins at the time of the hack, it is higher than the current market price of NEM” — Coincheck team.
Secondly, other investors and stakeholders of the Exchange expressed concerns about the source of the income that was used to fund the $430m payouts.
The team had suggested that Coincheck had drawn resources from the substantial gains it made on its own cryptocurrency investments, to fund the compensation.
But the future of the exchange as a going concern remained in doubt, with significant cash flowing out and new investors unable to deposit cryptocurrencies as trading was suspended.
(2021) BitMart Exchange — $200M hack.
For every Coincheck that raises your hopes in humanity, there’s a Bitmart that simply dashes that hope.
In December 2021, Peckshield, a blockchain security and auditing company was the first to report,via twitter, that a possible large scale hot wallet exploit had occurred on BitMart exchange. A few hours later the BitMart team confirmed that unknown hackers had carted away tokens worth over $200m due to a stolen private key.
In a response to community uproar, BitMart promised in an official statement, on Dec 2021 that it would use its own money to reimburse victims of the security breach.
Current status of the BitMart Refund Process.
Over 9 months after the hack, all efforts made by victims to retrieve the payouts promised by the BitMart team have fallen flat.
In a recent report published by CNBC, which featured some victims of the BitMart hack. The victim complained bitterly that communication regarding the compensation process had ceased completely.
Even though Bitmart had instantly promised that affected users that they would keep in touch, they have not lived up to the promise and victims are starting to worry about the state of their funds.
(2022.) AXIE INFINITY – $620Million Ronin Bridge Hack
Similarly, Sky Mavis-led Axie Infinity suffered a devastating $620 million hack on its native Ronin bridge in June 2022. The play-to-earn also released statements promising to pay full refunds to victims. But several months down the line, it has also failed to reimburse victims till date.
So, when reports of another DeFi hack on Kyber Network emerged a few weeks ago — and the Kyber Exec team again, Vowed to reimburse victims. It has once again raised the controversial question among experts and stakeholders in the wider blockchain industry — Should blockchain protocols be mandated to refund victims of the devastating hacks.
As we have observed in the trend of the notable events outlined above, the short answer is NO. Regardless of the moral obligation, and willingness on the part of the founding team, processing refunds for hacks running into billions of dollars, is simply not sustainable, neither is it workable from the standpoint of legal technicalities.
Why DeFi Protocols Should Not Refund Hack Victims.
Now, let’s take a look at some of the major reasons that make it technically impossible for DeFi protocols to be able to refund all victims of DeFi exploits.
- Technical Obstacles
The Ubiquitous nature of blockchain technology means that DeFi protocols customers located in different countries. This makes it nearly impossible for victims to effectively coordinate class action lawsuits that would be necessary for an efficient claims & refund process.
Furthermore, most DeFi protocols are non-KYC platforms that do not obtain personal information of users. And since many countries do not have a legal framework that governs the digital currencies, it often becomes a cumbersome process for claimants.
This particular issue can be observed in the case of Mt.Gox hack victims. The case became subject to lawsuits across different countries, with separate rulings in Japan and the USA. Causing the litigation process to drag on for what has now become nearly a decade. With no end in sight.
- Inflationary Pressure & Dilution of Other Token Holders
If DeFi protocols are to refund all hack victims they would have to raise funds from somewhere, right? Well, one of the easiest ways for DeFi protocols to raise funds is Seigniorage — minting new tokens to meet maturing obligations.
If hack victims are repaid with newly minted tokens, it would inadvertently flood the market with millions of new tokens within a short period. And this would instantly drive down the value of the circulating supply, thereby diluting other token holders.
A sudden drop in prices could trigger a death spiral, if unaffected Holder gets spooked and begins to sell off. Regardless of how innovative— history shows that not many DeFi protocols recover from a death spiral that drives prices to near zero.
- Depletes Treasury & Slows down Development
Another way that DeFi protocols can raise funds to repay hack victims is to pull funds from the treasury.
Typically, funds deposited in a DeFi protocol’s treasury are dedicated to specific purposes that are critical to the long-term sustainability of the platform — such as marketing campaigns, research, and team expansion.
When these funds are pulled to make repayments to hack victims— to put it mildly, it automatically puts the long-term survival of that DeFi project in jeopardy.
- Stifles Innovation & Distract Dev. Teams
History suggests that making innovators liable for the technology that they build does nothing but stifle their creativity. Which slows down our growth as a society.
Making blockchain developers liable for vulnerabilities in the code & protocols that they build would effectively discourage innovation in the global DeFi industry.
Furthermore, as we have seen in the case of Coincheck Exchange above, burying innovators in a flurry of unending lawsuits often disrupts the operational activities of the platform. Thereby leading to an exacerbation of the problem, making long-term losses spread to other investors that were unaffected by the subject hack in litigation.
Professional Indemnity played a key role in the development of Internet banking, Aviation, Telecommunication and other innovative industries that have become core aspects of your social and professional lives today. And the burgeoning DeFi industry,today, should not be deprived of that privilege as well.
Given the nascent nature of the DeFi insurance industry, it is important for regulators to create laws that protect talented professionals and early contributors, who are acting in good faith — from being exposed to rigor and distraction of unbridled litigation.
Regulators should provide relevant coverage solutions against innovation stifling litigation – such covers could include Directors’ and Officers’ (D&O) liability & Professional indemnity – within the confines of commercial crime prevention laws.
So, having established the reasons why DeFi protocols cannot effectively pay refunds to users you’d be asking, so what’s the way forward? How can Investors and users of DeFi protocols be protected from the devastating losses that result from hacks. Here’s an alternative solution.
DeFi Insurance — A Solution that works.
While it is important to have systems that encourage innovation, it is unarguable that Consumer protection is at the core of every thriving industry. Hence, DeFi Insurance has emerged as an effective independent mechanism for users & investors to get recourse whenever things go off route sometimes.
Over the last 2years, various innovative DeFi Coverage platforms have sprung up to provide seamless and effective solutions to the “DeFi hacks vs Investor refunds” debacle.
DeFi Protection Protocols are platforms that are set up to protect and indemnify investors users of various Decentralized Finance services, who may fall victim to Crypto assets theft, Fraud, Hacks and devastating Smart contract failures.
DeFi Coverage protocols provide a mechanism for hack victims to receive refunds on losses, without having to burden the attacked protocol – with a flurry of lawsuits, or put unaffected token holders at risk of dilution. Specifically, in May 2022, InsurAce swung into action to save victims of a flash loan attack on the Elephant Money protocol. And again, later in May, the DeFi Coverage protocol came to the rescue once again, paying out Coverage claims worth $11.7m to 155 investors who had lost funds to the catastrophic TerraUST crash.
To put an end to the scourge of losses on the path of Investors and Users, Stakeholders VCs and Users should encourage DeFi startups to embed solid DeFi Insurance packages into their plans prior to product launch.
Safety first. User & Investor asset protection should be prioritized as much as any other aspect of product development. The team owes its users and investors a duty of care, and DeFi Insurance is here to provide a lasting solution.
In our next series of articles, we will explain in detail, “How DeFi Protocols Can Avoid Getting Hacked”. Stay tuned.
