KuCoin Hack
Incident Overview
Hackers managed to obtain the private keys to KuCoin's hot wallets and drain the exchange for various crypto assets in the amount of $280 million.
This case lacks information with regard to the methodology hackers utilized in order to gain access to KuCoin's hot wallets. The hot wallet affected were designated for Bitcoin, Ethereum, and ERC-20 tokens.
Stolen funds included:
- 1,008 BTC ($10,758,404.86)
- 11,543 ETH ($4,030,957.90)
- 19,834,042 USDT-ETH ($19,834,042.14)
- 18,495,798 XRP ($4,254,547.54)
- 26,733 LTC ($1,238,539.89)
- 999,160 USDT ($999,160)
- $147M worth of ERC-20 tokens
- $87M of Stellar tokens
In an attempt to launder the ill-gotten funds, the attackers proceeded to use a mixture of DeFi protocols such as Kyber and Uniswap.
The CEO of KuCoin claims that through a mixture of on-chain analyses, judicial recovery, as well as contract upgrades, 84% of the stolen funds, had been recovered. The remaining losses were covered by KuCoin's own capital and insurance fund.
Incident Report
Protocol Information
Market Context at Time of Hack
What the Attacker Needed to Succeed
Understanding the prerequisites for this type of attack helps auditors identify protocols that are most at risk and helps developers build better defenses.
What Auditors Should Check
If you're auditing a protocol with similar architecture to KuCoin, these are the critical security checks that could have prevented this incident (September 2020).
- Verify all logic paths related to Access Control are guarded by proper access controls and input validation - see the Access Control Attacks attack class for patterns
- Review privileged functions (owner, admin, governance) for potential abuse vectors - centralization risks should be documented and bounded with timelocks or multi-sigs
Master these auditing techniques with hands-on labs and real exploit scenarios in the Smart Contract Hacking course.
Free TrialFunds Recovery
Recovered
$280.0M
Net Loss
0
Related Attack Classes
The technique used in this hack maps to these vulnerability classes in our security curriculum:
Sources & References
Learn to Prevent the Next KuCoin
The KuCoin hack is one of many attacks that skilled auditors are trained to detect before deployment. Master real exploit patterns and defense techniques with hands-on Web3 security training.