Should the project party compensate?
Written by: Liu Honglin, Xu Yuewen
In recent days, the DEXX incident has become a hot topic in the crypto community. Many friends have sent me messages asking for my legal perspective on this incident, especially regarding whether the project party and those KOLs who helped promote it should bear legal responsibility in the case of user assets being stolen. In this article, we will sort out the ins and outs of this incident and share my personal legal views.
Background Review
On November 16, 2024, the DEXX platform suddenly experienced a major hacking incident, with numerous users reporting that their assets mysteriously disappeared from their accounts. This news quickly spread on social media, causing widespread panic and anger. Initially, many users thought it was just a system malfunction, but with the in-depth investigation by security audit firms CertiK and PeckShield, it was soon confirmed that there were serious private key management vulnerabilities on the DEXX platform. Hackers easily gained access to the platform's core wallet through this vulnerability and transferred user assets to multiple anonymous addresses.
After the incident, the DEXX team released an open letter, attempting to offer a bounty in exchange for the return of the stolen assets. However, this letter not only failed to quell user anger but also sparked more questions. Some believe that the DEXX team may have staged an "internal incident." Various signs indicate that the waters behind this incident are not shallow, and affected users have begun to organize their own rights protection actions in an attempt to recover their losses.
Responsibility of the Project Party: A Makeshift Team or Force Majeure?
As a lawyer, I think it is essential to clarify one point: Should the project party compensate users for their losses? If the DEXX project party indeed caused the theft of user assets due to their management errors, especially "basic mistakes" in private key management, then legally, they should bear compensation responsibility to the users. To put it bluntly, if the security vulnerabilities of the project party were caused by carelessness or technical oversight, rather than force majeure factors, then user losses cannot simply be attributed to "hacker attacks."
According to common user agreements, platforms usually exempt themselves from liability for force majeure events, but this incident clearly does not fall under natural disasters or uncontrollable external factors; rather, it is due to the project party's failure to fulfill their security management obligations. In such cases, the law generally considers it "mismanagement" rather than force majeure. However, if users want to protect their rights through litigation domestically, it is actually very difficult. DEXX, as an offshore registered company, requires users to pursue cross-border litigation, and under the current legal environment in China, there are many restrictions on judicial protection for virtual currencies. Therefore, even if users have legitimate compensation claims, the likelihood of them being realized remains very low.
It is worth mentioning that if this incident was not due to a hacker attack but rather a "scam" orchestrated by the project party, the situation would be entirely different. If evidence shows that the project party intentionally used the hacker attack incident to cover up the illegal misappropriation of user assets, this could be classified as fraud domestically. Some may think that since the project party is overseas, domestic law enforcement cannot do anything. However, as long as the amount involved is significant enough, law enforcement has every incentive to initiate cross-border pursuits through international cooperation. There have been many successful capture cases in similar incidents in history, and believing that "being overseas means being safe" is indeed too naive.
KOL Responsibility: A Dual Test of Law and Character
In this incident, many KOLs in the crypto community stood by DEXX, actively promoting it on social media to earn commissions. Compared to other platforms, DEXX's commission rate is relatively high, reaching up to 50-60% of the fees, which raises another question: Do the KOLs who helped promote it bear legal responsibility? This is also a topic of discussion among many in the rights protection group. Recently, I have seen people online compiling a list of KOLs who promoted DEXX, including some friends I personally know. KOLs have responded in different ways; some have deleted their promotional posts, while others have come forward to apologize and promised some compensation, but these are all just voluntary personal actions.
To conclude, from a legal perspective, if these KOLs merely received promotional fees for their assistance, law enforcement is unlikely to prioritize holding these KOLs accountable. This is because, from a cost-effectiveness standpoint, it is more efficient to focus on targeting the core project party rather than dispersing efforts to pursue multiple KOLs.
However, the reputation and credibility of KOLs in the crypto community are crucial. I advise these influencers that if they wish to maintain a good brand image within the community, they should provide appropriate explanations and statements to their fans within an acceptable range, although this goes beyond legal considerations. At the very least, it serves as a reminder to all KOLs that when promoting projects, they cannot only focus on advertising fees while neglecting basic risk control of the projects. Otherwise, when users find themselves harmed due to these promotional contents, even if KOLs are legally exempt, they may still face community backlash and bear significant moral and social pressure.
Lawyer Mankun's Compliance Suggestions
The DEXX incident has exposed not only technical vulnerabilities but also a lack of compliance awareness. If the project party had conducted risk assessments and preventive measures in advance, many issues could have been avoided. The DEXX incident has led many to lament that the world is indeed a huge makeshift team. How the situation develops in the future may depend on time. But at least the problems exposed at this stage have already provided some useful experiences for project parties and practitioners in the Web3 industry.
(1) Security Management: Multi-layered Protection from Technology to System
First and foremost, for any crypto project, the security of funds is paramount. The lesson from the DEXX incident is that no matter how good the technological innovation is, if the basic security is not in place, everything is just a castle in the air. Here, I want to emphasize a few specific security management measures:
Multi-signature and Hardware Isolation for Private Key Management: The project party should adopt a multi-signature mechanism (Multi-Sig) to ensure that even if one party's private key is compromised, it will not lead to the theft of funds. Additionally, private keys should be stored in cold wallets to prevent online attacks. Especially for the private keys of core wallets, they should never be stored on connected devices. It is recommended to use hardware wallets combined with offline backups to minimize the risk of being stolen by hackers.
Introduce Third-party Security Audits and Regular Testing: Security audits should not be a mere formality but a necessary step before the project goes live. In the case of DEXX, there was a clear lack of audits and stress tests for the private key management system. The project party should regularly invite professional security companies to conduct code reviews and vulnerability tests, promptly fixing any identified issues. Additionally, an internal emergency response team should be established to quickly respond to unexpected events rather than scrambling during a crisis.
Improve Internal Risk Control Processes: In addition to technical security, the project party should establish a comprehensive internal management system, including mechanisms for permission control, operation log review, and abnormal behavior monitoring. For example, strict approval processes should be set for fund transfer operations, with detailed operation records kept. In the event of an anomaly, the source can be quickly traced, and blocking measures can be taken to prevent further losses.
(2) Compliance Operations: Actively Embrace Regulation to Enhance Market Trust
In the current context of increasingly strict global regulation of the crypto market, compliance operations for project parties are no longer optional but a necessity for survival. Many Web3 projects choose offshore registration to avoid legal risks, but it has been proven that once user asset losses or fraudulent activities occur, this "offshore protection umbrella" does not truly shield the project party from legal accountability.
For project parties planning long-term development, it is advisable to establish compliant entities in major markets to ensure that operations are legal and compliant locally. This not only enhances the project's credibility but also effectively reduces future legal risks. By proactively disclosing financial conditions, fund flows, user agreements, and privacy policies, project parties can better win users' trust.
On the basis of compliance, project parties may consider establishing user asset protection funds. When the platform experiences theft or unexpected losses, users can be compensated promptly. This is not only a commitment from the project party to users but also a reflection of industry self-discipline. By establishing such protection mechanisms, trust crises following incidents can be mitigated.
(3) Self-regulation of KOL Promotions
For those KOLs and influencers who stand by projects on social media, the DEXX incident serves as a practical reminder that some advertising fees cannot simply be earned by posting a tweet; to avoid becoming targets of user criticism, KOLs must take on more responsibility in their promotional activities.
Due Diligence is a Basic Obligation: KOLs should conduct basic project investigations before accepting promotional invitations from project parties, understanding the project's background, technical strength, and security measures. If they find significant issues regarding fund security or compliance, they should decisively refuse, regardless of how high the advertising fee is. After all, short-term gains cannot compensate for long-term trust losses.
Establish Risk Warnings and Disclaimers: In promotional content, KOLs should proactively inform fans of the potential risks of investment rather than only promoting the "high returns, low risks" aspect. Especially when promoting decentralized financial products, it is advisable for KOLs to include clear disclaimers, reminding users to invest cautiously. This not only protects themselves legally but also holds them morally accountable to their fans. As opinion leaders, KOLs have a trust relationship with their fans. If the promoted project encounters issues, KOLs should take the initiative to express their stance rather than evade responsibility. Through this transparent communication approach, the negative impact of incidents can be effectively mitigated.
Conclusion
The DEXX incident once again proves that decentralization cannot be used as a "protective shield." If the project party cannot even manage basic security, they are playing with fire. Hacker attacks are external factors, but inadequate internal security management is the real problem. If user assets are treated lightly, the only one who will ultimately suffer is themselves.
As for those KOLs who helped promote the project, there is no need to focus solely on the immediate advertising fees and casually stand by. The crypto community is a circle, and once the reputation is damaged, it is not so easy to recover. After all, fans' money does not come easily; everyone has their own scale of judgment.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
