The Incident of Pundi AI Token Theft: The Difficult Choice to Prioritize User Asset Protection

On July 12, Pundi AI suffered a hacking attack, resulting in an abnormal issuance of 1 million Tokens. In response to the crisis, the team chose to first freeze, track, and recover the assets, and publicly disclose the situation after ensuring the safety of the funds. Ultimately, they successfully recovered and froze nearly 90% of the stolen funds, advancing over one million dollars to complete full user compensation. However, Pundi AI was delisted by the five major exchanges in South Korea due to "untimely information disclosure."

Event Key Timeline:

• March 2: Function X announced a rebranding to PUNDIAI, at which point the hacker had already infiltrated but had not been detected.
• July 12: Hackers launched an attack, causing an abnormal issuance of 1 million Tokens; transfers were frozen that day and tracking was initiated; in the evening, the CEO disclosed the contract vulnerability to the community.
• July 14: Disclose the results of the attack investigation and solutions to the exchange, communicate with DAXA.
• July 28: Two major Korean exchanges announced the delisting of PundiAI on August 28.
• July 31: Official statement recovers over 80% of assets, full user compensation completed within 11 days.

PANews exclusive interview with Pundi AI co-founder Danny Lim, reviewing the entire event process and providing safety and compliance operation reminders for the industry. Danny also discussed Pundi AI's product layout in the AI data field, as well as his thoughts on the development of the Web3 AI track.

He proposed a dilemma: should we prioritize ensuring user funds safety without alarming the hackers, or prioritize transparency by disclosing information, which could potentially accelerate the hackers' fund transfer and increase losses? This time, Pundi AI chose the former, but suffered the cost due to "flaws" in transparency.

Danny stated that being delisted has instead unsealed the "seal" for project development, allowing for more flexible use of token economics to give back to the community. Pundi AI will buy back tokens and airdrop them to users to thank them for their support during difficult times.

Theft, Delisting, and Tough Choices

On the afternoon of July 12, the system issued a warning about the abnormal minting of approximately 1 million PUNDI Tokens. Initially, the team thought it was a contract bug, but by 5 PM, it was confirmed to be an attack, and they immediately contacted the exchange to suspend deposits and withdrawals.

Hackers exploited a vulnerability in the token migration contract to gain administrator privileges ahead of time when deploying a new contract in February. This "front-running attack" technique is precise and requires accurate calculation of transaction timing and blocks.

To maximize the recovery of assets, the team decided to avoid alarming the hacker and quietly track and freeze the assets. On the evening of July 12, an announcement was made on social media regarding the contract issue and the handling plan.

This strategy is effective, successfully intercepting about 95% of stolen assets. The main losses occurred on the BSC chain due to delayed responses from third-party service providers over the weekend. The team compensates affected users at fair market prices.

The attack resulted in the issuance of over 6 million dollars worth of tokens, with 87% ultimately recovered, and the team bearing nearly 2 million dollars in losses.

Despite multiple communications with DAXA, we ultimately received a delisting notice. Danny believes this is a painful lesson: in the South Korean market, the timeliness and transparency of information are crucial. This serves as a wake-up call for all projects that are live or planning to go live in South Korea.

The Dilemma and Future Planning of the Korean Market

Pundi AI has been operating in South Korea for 5-6 years since 2019, accumulating 200,000 to 400,000 users. South Korean users are highly reliant on centralized exchanges, with about 80% of trading volume and 70% of tradable Tokens occurring on South Korean exchanges.

It is very difficult to relaunch after being taken down, but the team is still actively communicating. Danny is pleased that the coin price has remained stable after the delisting, showing the community's trust.

The three major plans to follow:

1. Increase investment in decentralized exchanges and provide sufficient liquidity.
2. Vigorously promote new AI data products
3. Release the Token buyback and airdrop plan to give back to the community for their support.

The Vision and Challenges of AI Data Assetization

Pundi AI's new product Data Pump is the "Launchpad for AI Datasets", allowing users to package content data into NFTs, collateralize them to generate Tokens, and trade on DEX.

Compared to other projects, Pundi AI focuses on specialized niche data, ensuring high quality. It has developed an AI AMM to achieve data assetization and monetization. Currently, it possesses PB-level on-chain data storage.

Danny believes that the bottleneck in the development of Web3 AI lies in the lack of practical applications that change lives. The true value of blockchain in the AI field is at the data layer, protecting user data sovereignty and privacy. However, ordinary users have not yet realized the importance of data privacy.

The real wave of the Web3 AI track may need to wait for traditional AI giants to actively embrace blockchain and provide data protection features for users. This day may not be far off.