Pundi AI Incident Review: The Choice and Lessons of Prioritizing User Asset Protection

In mid-July, Pundi AI suffered a carefully planned hacker attack, resulting in the abnormal issuance of 1 million tokens. In the face of this crisis, the team chose to first freeze, track, and recover the assets, and publicly disclose after ensuring the safety of the funds. Ultimately, nearly 90% of the stolen funds were successfully recovered and frozen, with over one million dollars advanced to complete full user compensation. However, Pundi AI was notified by several major exchanges in South Korea to delist due to "untimely information disclosure."

The following is the timeline of key events:

• March 2: Pundi AI announced brand restructuring and token swap, at this time the hacker had already infiltrated but had not been detected.
• July 12: Hackers launched an attack, resulting in an abnormal issuance of 1 million tokens; transfers were frozen and tracking was initiated on the same day; that evening, the CEO publicly disclosed the contract vulnerability to the community.
• July 14: Disclose the results of the attack investigation and solutions to the exchange, communicate with regulatory agencies.
• July 28: Several South Korean exchanges announced that they will delist Pundi AI on August 28.
• July 31: Official statement recovers over 80% of assets, full user compensation completed within 11 days.

In this incident, Pundi AI faced a dilemma: whether to prioritize ensuring the safety of user funds without alarming the hackers, or to maintain transparency by publicly disclosing information, which could potentially exacerbate the losses. Ultimately, the team chose the former, but also suffered consequences due to the "flaws" in transparency.

The co-founder of Pundi AI stated that being delisted has instead unlocked the "seal" on the project's development, allowing for more flexible use of token economics to give back to the community. They plan to buy back tokens and airdrop them to users in appreciation of the community's support during difficult times.

Regarding the details of the hacking incident, the person in charge explained that the hackers exploited a vulnerability in the token migration contract to gain administrator privileges ahead of time when deploying the new contract in February. This "front-running attack" technique is very precise and requires accurate timing of transactions.

After the incident, the team took a series of measures:

1. Immediately freeze the transfer and initiate asset tracking.
2. Communicate with major exchanges, suspend deposits and withdrawals.
3. Provide full compensation for user losses
4. Upgrade contracts to prevent similar incidents from happening again

In the end, the attack resulted in the issuance of tokens worth approximately 6 million US dollars, and the team successfully recovered 87% of the assets, bearing nearly 2 million dollars in losses.

Regarding the reason for being delisted, the person in charge stated that there had been extensive communication with the South Korean regulatory authorities, but ultimately it was still delisted due to "untimely disclosure." He believes this is a painful lesson, as the timeliness and transparency of information in the South Korean market are crucial.

Looking ahead, Pundi AI plans:

1. Increase investment in decentralized exchanges to provide ample liquidity.
2. Vigorously promote the new AI data products
3. Launch the token buyback and airdrop program to give back to the community.

Regarding its new product Data Pump, the person in charge introduced it as an "AI data set Launchpad", aimed at tokenizing data. Users can package content data into NFTs, collateralize them on the platform to generate tokens, and trade them.

Regarding the development prospects in the Web3 AI field, the person in charge believes that the current bottleneck lies in the lack of applications that can change lives. He pointed out that the real value of blockchain in the AI field is at the data layer, which protects user data sovereignty and privacy. He predicts that the real boom in the Web3 AI track may require traditional AI giants to actively embrace blockchain technology to provide users with data protection features.