Dear Pundians,

Unfortunately it appears those involved with the recent Coinrail theft of NPXS have offloaded a portion on IDEX around 12:20 pm SGT (GMT+8) on June 25 and 4:50 am SGT (GMT+8) on June 26. Pundi X took immediate action to alert IDEX and Coinrail. However, these tokens had already changed hands in less than 20 minutes.

This has prompted some questions from the community, which I will answer in this post.

Who has been affected by a security breach?

It is worth restating: the stolen tokens are from the hack on the Coinrail exchange first reported more than two weeks ago. Pundi X has NOT been hacked; NPXS has NOT been hacked; IDEX has NOT been hacked.

Why can’t we just ask IDEX to shut the hacker’s wallet?

IDEX is a decentralised exchange which cannot fully stop the hacker account from trading; they have to choose to suspend the trading of NPXS by our request to minimize the impact of NPXS holders.

Can we be taken off IDEX?

Yes, we have made a request for a de-listing on June 25 and now the trading of NPXS has been suspended.

Why can’t Pundi X freeze the hacker’s tokens?

The nature of decentralization and blockchain prevents this. We cannot achieve this, short of freezing the entire smart contract again, which is a measure we already took to assist the investigation in the early stage of this incident.

We have no further plans of freezing the NPXS smart contract. While there is a possibility that the hacker may move more tokens out from his wallet, which we simply cannot control, we have taken every single measure that we can possibly take to make profiting off of this hack difficult for him.

If the movement of tokens to new wallets happens in the future, we will be immediately alert all relevant parties who are assisting with this ongoing investigation.

How is the investigation of Coinrail hack incident?

It is ongoing and a matter being led by Korean law enforcement authorities; it’s not something we can comment on.

Does Pundi X understand its community has been affected?

That NPXS holders who placed faith in Pundi X had that abused by criminals and a security lapse by another organization affects the team deeply.

We can understand the anxiety within the community. Some of those affected are close friends; all of the stories I have read — and there have been many — have been touching.

What has Pundi X done to minimize the impact to the NPXS token holders?

Everything we can. We intervened to suspend the NPXS smart contract for 10 days, in response to a request from Korean police to assist their investigations.

We will continue to cooperate with the official Korean police investigation into how 2.6 billion NPXS were extracted from Coinrail and by whom.

Also, we don’t want to see the hacker profit from the stolen tokens. Therefore, we are taking the measure of requesting to de-list from the decentralized exchanges till the hacker gets caught.

We’ve also blocked the monthly unlocked token distribution to the hacker’s wallet address.

Can NPXS issue a new token or hard fork?

We could not simply issue a new token for this incident because it might incur serious legal implications.

Pundi X has already executed a major swap to fulfill the community’s request for the public token sale. Swapping imposes a cost on all other token holders, and the risk that tokens can be lost or forgotten. A swap would not only be a burden but it would involve shifting losses onto the majority of the NPXS holders.

Why don’t you lock or burn the hacker’s token?

The tokens to be burned must be in our smart contract address. As the tokens are in the hackers’ private ERC20 wallet, we cannot either execute burn nor lock the stolen tokens.

What about compensation for the Coinrail NPXS holders?

Pundi X was not hit by a security breach: Coinrail was. Under law the party whose security had been compromised is accountable.

What else can Pundi X do for Coinrail hack incident?

The simple, unattractive and true answer is relatively little. The recent history of cryptocurrencies is littered with hacking episodes. A few have been resolved neatly by the affected exchanges in a short time but no stolen currencies have had responsibility.

Bitcoin was not called to account for the Mt Gox episode. Nor have other tokens stolen from third party exchanges been asked to pay for these breaches. Doing so would not only set a precedent it would mean compensation would have to follow every time a third-party’s security was breached. That is not feasible, morally or practically.

What’s next?

Wherever we have a say, we will do everything in our power to advocate for the rights of affected token holders.

Pundi X will also push for better standards of exchange security.

Standards are too disparate and, in some cases, too lax. As with all losses, there are lessons here and we will use our influence to build upon them to push for improvements to exchange architecture.

At Pundi X, we want to improve the world for the better and to place it on a more equal footing. This is not going to be easy. But we hope it continues.


Zac Cheah
CEO and co-founder
Pundi X

1 Comment »