Pundi AI delisted by a South Korean exchange after being attacked, co-founder Danny Lim responds

On July 12, Pundi AI was attacked by hackers, resulting in the abnormal issuance of 1 million tokens. The team quickly took action to freeze, track, and recover assets, ultimately successfully recovering and freezing nearly 90% of the stolen funds, and advanced over a million dollars to complete full user compensation. However, Pundi AI was notified by the Digital Asset Exchange Association of Korea (DAXA) to be delisted from Korean exchanges due to "untimely information disclosure."

To better understand the context of the event, here is a review of the key timeline:

• March 2 - Function X announced a rebranding to PUNDIAI and a token swap to PUNDI, at which point the hacker was already lurking.

• July 12 - Hackers launched an attack, resulting in the abnormal issuance of 1 million tokens; transfers were frozen that day and tracking was initiated; that evening, the CEO publicly announced to the community that the contract had encountered a vulnerability.

• July 14 - Fully disclose the investigation results and solutions of the attack incident to the exchange, and communicate with DAXA.

• July 28 - Some South Korean exchanges announced the delisting of PundiAI on August 28.

• July 31 - Official statement recovers over 80% of assets, full user compensation completed within 11 days.

PANews exclusively interviewed Danny Lim, co-founder of Pundi AI, to comprehensively review the entire event process. Danny also posed a dilemma: in the process of outsmarting the hacker, should one prioritize ensuring user funds safety without alarming the hacker? Or should one prioritize transparency, promptly disclosing information, but potentially allowing the hacker to accelerate fund transfer and thereby increase the amount of damage? This time Pundi AI chose the former, but also bore the cost of the choice due to the "flaw" in transparency.

Danny stated that being delisted from a compliant exchange has instead "unlocked" the project’s development. In the past, they could not casually repurchase or destroy tokens without the exchange's consent. Now, they can use token economics more flexibly to give back to the community. Pundi AI will also repurchase tokens and conduct airdrops to users, "thanking them for choosing to stand with us during difficult times."

Theft, Delisting and Difficult Choices

Danny explained that the security incident occurred around 2:20 PM on July 12, and the system issued a warning around 2:40 PM. Initially, the team believed it was a bug in the contract, but by 5 PM, it was confirmed that it was an attack. They immediately contacted major exchanges, requesting to suspend the deposit and withdrawal functions of PUNDIAI.

Hackers exploited a vulnerability in the token migration contract. When deploying a new contract in February, the hackers submitted a transaction with a higher Gas fee within the same block, preemptively calling and gaining administrator privileges of the contract. This technique is very precise and requires accurate calculation of the timing and block of the transaction.

Danny reminded that this is a very hidden vulnerability, which only became exposed when the attack occurred in July. Recently, several projects on the Base chain and Ethereum have been attacked using similar methods in the last three to four weeks. He calls on all peers, especially those planning to conduct token migrations or contract upgrades, to be aware of the potential security risks of this "race attack."

After discovering the theft, the team decided to avoid alarming the thief and quietly track and freeze the assets in order to maximize the chances of recovery. This strategy proved effective, successfully intercepting approximately 95% of the stolen assets on Ethereum and their own mainnet F(x)Core. The main losses occurred on the BSC chain due to delayed responses from third-party service providers over the weekend.

Overall, the attack resulted in the issuance of tokens worth over 6 million dollars at the time of the market price. Through freezing and recovery, approximately 87% of the assets were successfully reclaimed. The team decided to bear nearly 2 million dollars in losses themselves.

Danny stated that they had extensive communication with DAXA, but ultimately received a delisting notice. DAXA did not provide a specific reason, and according to the exchange's announcement, the reason for delisting was "untimely disclosure," without offering any justification or room for mitigation.

Danny believes that the biggest lesson is that in the Korean market, the timeliness and transparency of information are more important than anything else. This is a painful lesson; they did not strike a balance between "quietly recovering assets" and "public disclosure at the first moment." He hopes to warn all projects that are live in Korea or planning to launch in Korea.

The Dilemma and Future Planning of the South Korean Market

Pundi AI has been operating in the South Korean market for a long time, having launched on South Korean exchanges since 2019. They have accumulated at least two to three hundred thousand users, and possibly even more than four hundred thousand.

Danny stated that the South Korean market is quite unique, with users heavily relying on centralized exchanges for trading, and there is generally low acceptance of DeFi or on-chain operations. About 80% of the trading volume and 70% of the tradable tokens are on South Korea's centralized exchanges. Therefore, this delisting has a huge impact on their liquidity.

Despite the great difficulty of relaunching, they are still actively communicating with DAXA and various exchanges, hoping to gain trust and return to the Korean market.

It is reassuring that after the delisting announcement, the price of Pundi AI has remained relatively stable, which indicates that the community and coin holders still believe in them.

For the community, Danny stated that they have three core plans:

1. Increase investment in on-chain and decentralized exchanges, and use funds to establish deeper liquidity pools on major DEX platforms.

2. Vigorously promote the brand new AI data products.

3. Launch token buyback and airdrop plans to more flexibly utilize token economics to reward the community.

The Vision and Challenges of AI Data Assetization

Danny introduced their new product Data Pump, which is an "AI Dataset Launchpad". Users can package various content data into NFTs, then mortgage this NFT on the platform to generate corresponding tokens, and directly create trading pairs for trading on the DEX.

Compared to other AI data projects, Pundi AI focuses on specialized segments such as medical imaging, autonomous driving, legal documents, etc., ensuring the professionalism and high quality of the data. They also developed AI AMM (Automated Market Maker), achieving the assetization and monetization of data. In addition, they have PB-level data volume on-chain, which is quite substantial in the Web3 space.

Regarding the development bottleneck in the Web3 AI field, Danny believes that there is currently nothing truly useful that can change lives. The so-called "decentralized computing power" at this stage is more like a false proposition. The real value of blockchain in the AI field lies in the "data layer," which is to protect users' data sovereignty and privacy.

Danny predicts that the Web3 AI sector is likely to usher in a real boom, which may require waiting for a traditional AI giant to actively embrace blockchain technology due to some opportunity, providing users with data protection features. He believes that this day should not be far off.