WazirX, India's largest virtual digital asset exchange, suffered a significant hack on July 18, 2024, resulting in a loss of $230 million, which equates to approximately 45% of user funds stored in ERC-20 tokens. The exchange’s proposed recovery plan involves "socializing" the losses by imposing a 45% haircut on all users' holdings, regardless of whether they held ERC-20 tokens, effectively locking those assets and offering limited options for trading or withdrawal. This approach mirrors a strategy used by Bitfinex in 2016 but raises concerns due to the current fragmented state of the virtual digital asset market and the exclusion of WazirX's own assets from the recovery process.
Critics argue that WazirX’s recovery plan prioritizes the company’s survival over user protection, deviating from standard insolvency practices where a company’s assets are typically pooled to pay off debts. The exclusion of company assets from the recovery plan not only undermines user trust but also highlights the absence of clear regulatory frameworks in India’s virtual digital asset market. The situation underscores the need for stronger regulations to ensure transparency, fairness, and accountability, thereby protecting consumers from significant financial losses in the volatile digital asset space.
Wazir X, India’s largest virtual digital asset (VDA) exchange by trading volume, was hacked on July 18, 2024. The incident resulted in a loss of US$ 230 million in user funds. Several blockchain intelligence platforms, such as Elliptic and CYFIRMA, attributed the hack to the Lazarus Group, a specialized North Korea-based hacker organisation with close ties to the country’s intelligence agencies. The Group is responsible for several previous VDA-related hacks, including the $540 million hack of the Ronin-bridge (a blockchain platform) in 2023.
The US$230 million stolen in the hack, which was stored in a single wallet that was compromised, represents approximately 45 percent of user funds deposited with the exchange. The compromised wallet contained only ERC-20 tokens, fungible digital assets created and transferred using the Ethereum blockchain. According to Elliptic, a majority of the stolen tokens consist of SHIBA-INU, a popular memecoin, and ETH, the native VDA of the Ethereum blockchain. The hack did not affect tokens created on other blockchains, such as Bitcoin and Solana. In other words, users who only deposited and held fiat currencies or non-ERC 20 tokens with WazirX did not lose their holdings due to the attack.
WazirX’s proposed recovery plan, released on July 27, proposes spreading losses that arose due to the hack evenly across users. The “socialization of losses” strategy mandates that all users, regardless of whether they held ERC-20 tokens, take a 45 percent haircut on their holdings with WazirX. Tokens constituting 45 percent of all users’ portfolios will be “locked” into WazirX, rendering them non-tradable and non-withdrawable. For the remaining 55 percent, users can choose between two options. The first option allows them to trade, but not withdraw, assets on the WazirX platform. Users choosing this option will be given priority in the disbursement of recovery proceeds (if any). The second option allows users to trade and withdraw 55 percent of their assets, but they will receive lower priority in disbursement of recovery proceeds. Recent statements from the exchange and its CEO suggest that it is considering alternatives, including airdropping tokens to make users whole, but no further details on these options have been provided so far.
WazirX justifies the proposed recovery process as quicker and more effective than legal proceedings, which would likely fall under the Insolvency and Bankruptcy Code (IBC) due to the company's liabilities outweighing its assets post-hack. CEO Nischal Shetty argues the “socialize losses & rebuild” strategy allows them to rebuild the business and share profits with users as and when they arise. Comparatively, legal proceedings could take several years, resulting in high legal fees and the recovery of only a small portion of the total assets.
The recovery plan also references a similar strategy employed by Bitfinex, a VDA exchange based in the British Virgin Islands, following a 2016 hack that resulted in a $70 million loss in Bitcoin, representing 36 percent of user holdings. To maintain solvency, Bitfinex imposed a 36 percent haircut on all users' holdings, regardless of whether they held Bitcoin. Additionally, Bitfinex issued BFX tokens to compensate users for their losses. These tokens represented a debt that Bitfinex promised to repay, allowing users to redeem them at par value or exchange them for equity in the exchange’s holding company. The subsequent bull run in the VDA market increased the value of Bitcoin and other VDAs, enhancing Bitfinex’s ability to recover its losses and repay the tokens. Consequently, users redeemed or exchanged their BFX tokens, and by March 2017, the exchange held more tokens in its reserves than were in circulation, restoring its solvency.[1]
However, it is questionable whether Bitfinex’s strategy could be replicated in today’s VDA market. In 2016, the market was dominated by a few exchanges, including Bitfinex, and the number of VDAs was limited, with most users holding Bitcoin. Illustratively, Bitcoin market dominance, which measures Bitcoin’s market cap against all other VDAs, stood at 80 percent in 2016. These factors made Bitfinex’s haircut more acceptable to users and other stakeholders, as keeping Bitfinex solvent was crucial to the VDA ecosystem’s viability. In contrast, today’s VDA market is characterized by numerous exchanges and thousands of VDAs, making users less likely to accept the socialization of losses.
Regardless of whether the socialization of losses strategy is acceptable to users, it seems to be a ploy to make them give up part of their VDA investments in the hope of an unlikely recovery while protecting the company’s assets. Notably, the plan does not mention the use of the company's assets, which include profits and other holdings, to compensate users. While recent financial data on the company is not available, reports from 2023 suggest that it made $7 million in profits in 2023, a 5x jump from the previous year.
Excluding company assets from the recovery process not only undermines user trust but also deviates from bankruptcy and insolvency law. In standard proceedings, an insolvent company’s own assets are pooled to pay off debts. User deposits held by the exchange might be included in this pool depending on the underlying terms of service. If included, these deposits can be sold to pay outstanding debts. Otherwise, they must be returned to the users, who are the rightful owners.
For example, Celsius, a digital asset lending platform, had terms of service stating it owned user deposits. A US court ruled these deposits were part of Celsius' liquidation pool during insolvency. In contrast, a New Zealand court found that Cryptopia's terms of service did not specify ownership of user deposits, so they were held in trust for users and not included in the liquidation pool. S. 18 of the IBC similarly excludes assets owned by third parties and possessed by the insolvent firm under trust or under contractual arrangements. Wazir X’s user agreements do not specify who owns user deposits, making their inclusion in the company’s liquidation pool during insolvency proceedings in India unlikely.
While WazirX seeks to provide immediate relief and liquidity to users, it does so by contravening accepted principles of equity, fairness, and transparency. This situation underscores the importance and necessity of a clear and stable regulatory environment to protect consumer interests and prevent the loss of savings invested in VDAs, which are recognized as a form of property under the Income Tax Act. The current lack of regulations pertaining to security, transparency, and accountability of VDA service providers allows them to skirt responsibility for mishaps and errors, often at the cost of end users.
—
[1] https://blog.bitmex.com/reckless-chapter-8-the-emergence-of-lending-markets/