Should the project party compensate?
Written by: Liu Honglin, Xu Yuwen
In recent days, the DEXX incident has become a hot topic in the cryptocurrency community. Many friends have sent me messages asking for my legal perspective on this incident, especially regarding whether the project party and those promoting it are legally liable for the theft of user assets. In this article, we will sort out the ins and outs of this incident and share my personal legal views.
Background Review
On November 16, 2024, the DEXX platform suddenly experienced a major hacking incident, with a large number of users reporting that their assets mysteriously disappeared from their accounts. This news quickly spread on social media, triggering widespread panic and anger. At first, many users thought it was just a system malfunction, but as security auditing firms CertiK and PeckShield conducted in-depth investigations, it was soon confirmed that the DEXX platform had serious private key management vulnerabilities. Hackers easily gained access to the platform's core wallet through this vulnerability and transferred user assets to multiple anonymous addresses.
After the incident, the DEXX team issued an open letter, attempting to offer a bounty in exchange for the return of assets by the hackers. However, this letter not only failed to calm users' anger but also sparked more questions. Some believe that the DEXX team may have staged an 'internal crime.' Various signs indicate that the waters behind this incident are not shallow, and affected users have begun to spontaneously organize rights protection actions in an attempt to recover their losses.
The project party's responsibility: a makeshift team or force majeure?
As a lawyer, I believe it is essential to clarify one point—should the project party compensate users for their losses? If the DEXX project party indeed caused user assets to be stolen due to their management mistakes, especially 'basic errors' in private key management, then legally, they should be responsible for compensating users. To put it bluntly, if the security vulnerabilities of the project party were caused by carelessness or technical negligence, rather than force majeure factors, then user losses cannot simply be attributed to 'hacker attacks.'
According to common user agreements, platforms usually exempt themselves from liability for force majeure events, but this incident clearly does not fall under natural disasters or uncontrollable external factors; rather, it stems from the project party not fulfilling their due safety management obligations. In such cases, the law generally considers it as 'mismanagement' rather than force majeure. However, if users wish to protect their rights through litigation domestically, it is quite challenging. As an offshore registered company, DEXX users need to pursue cross-border claims, and in the current legal environment in China, there are many restrictions on judicial protection for virtual currencies. Therefore, even if users have legitimate compensation requests, the likelihood of actual realization remains low.
Moreover, it is worth mentioning that if this incident was not due to a hacker attack but rather a 'scam' orchestrated by the project party itself, the situation would be entirely different. If evidence shows that the project party intentionally used the hacking incident to cover up illegal diversion of user assets, this could be classified as fraud domestically. Some may think that since the project party is overseas, domestic law enforcement cannot do anything. However, as long as the amount involved is significant enough, law enforcement has every incentive to initiate cross-border pursuits through international cooperation. There have been numerous successful cases of similar arrests in history, and believing that being overseas means being safe is quite naive.
KOL Responsibility: A Dual Test of Law and Character
In this incident, many KOLs in the cryptocurrency circle supported DEXX, actively promoting it on social media to attract new users and earn commissions. Compared to other platforms, DEXX offers a higher commission rate, reaching up to 50-60% of the transaction fees, which raises another question—do KOLs who help attract new users need to bear legal responsibility? This has also been a topic of discussion in the rights protection group. Recently, I saw someone online compiling a list of KOLs promoting DEXX, including some friends I personally know. KOLs have responded in various ways; some deleted their promotional posts, while others publicly apologized and promised compensation, but these are all spontaneous personal actions.
To conclude, from a legal perspective, if these KOLs merely received promotional fees for their assistance in advertising, law enforcement agencies are unlikely to prioritize holding them accountable. From a cost-effectiveness standpoint, it is more efficient to concentrate efforts on core project parties rather than spreading resources thinly across multiple KOLs.
However, the reputation and credibility of KOLs in the cryptocurrency circle are crucial. I suggest that these big influencers, if they wish to maintain a good brand image in the circle, should provide appropriate explanations and statements to their fans within an acceptable range. Of course, this goes beyond the legal scope. But at the very least, it serves as a reminder to all KOLs—that when promoting projects, they cannot just look at the advertising fees while neglecting basic risk control of the project. Otherwise, when users find themselves harmed due to these promotional content, even if KOLs are legally exempt, they may still struggle to escape community condemnation and bear significant moral and community pressure.
Compliance Advice from Lawyer Mankun
The DEXX incident has exposed not only technical vulnerabilities but also a lack of compliance awareness. If the project party had conducted risk assessments and preventive measures in advance, many issues could have been avoided. The DEXX incident has led many friends to lament that the world is indeed a huge makeshift team; how the situation develops will likely depend on time. But at least the problems exposed at this stage have provided some useful experiences for project parties and practitioners in the Web3 industry.
(1) Safety Management: Multi-layered Protection from Technology to Systems
First of all, for any cryptocurrency project, the safety of funds is paramount. The lesson from the DEXX incident is that no matter how good the technological innovation is, if the fundamental safety measures are not in place, everything is just a house of cards. Here, I want to emphasize a few specific safety management measures:
Multi-signature and hardware isolation for private key management: The project party should adopt a multi-signature mechanism to ensure that even if one party's private key is leaked, funds will not be stolen. Meanwhile, private key storage should adopt cold wallet isolation to prevent online attacks. Especially for the private keys of core wallets, they should never be stored on connected devices. It is recommended to use a combination of hardware wallets and offline backups to minimize the risk of being stolen by hackers.
Introduce third-party security audits and regular testing: Security audits should not be merely a formality but should be a necessary step before a project goes live. In the case of DEXX, there was a clear lack of auditing and stress testing for the private key management system. The project party should regularly invite professional security companies to conduct code reviews and vulnerability tests, promptly fixing any identified issues. Additionally, an internal emergency response team should be established to ensure rapid response to unexpected events instead of fumbling in a crisis.
Improve internal risk control processes: Besides technical security, the project party should establish comprehensive internal management systems, including permission control, operation log review, and monitoring of abnormal behaviors. For instance, fund transfer operations should have strict approval processes and detailed operation records. In the event of anomalies, it should be possible to quickly trace back to the source and take blocking measures to prevent further losses.
(2) Compliance Operation: Actively Embrace Regulation to Enhance Market Trust
In the current context of increasingly strict global regulatory oversight of the cryptocurrency market, compliant operations by project parties are no longer optional but a necessity for survival. Many Web3 projects choose offshore registration to evade legal risks; however, it has been proven that once user asset losses or fraudulent activities occur, this layer of 'offshore protection' does not truly shield project parties from legal accountability.
For project parties planning long-term development, it is advisable to establish compliant entities in major markets to ensure legal and regulatory operations locally. This can not only enhance the project's credibility but also effectively reduce future legal risks. By proactively disclosing financial conditions, funding flows, user agreements, and privacy policies, project parties can better win users' trust.
On the basis of compliance, project parties can consider establishing user asset protection funds. When the platform experiences theft or unexpected losses, it can promptly compensate users. This is not only a commitment from the project party to users but also a reflection of industry self-discipline. By establishing such protection mechanisms, it is possible to reduce trust crises following incidents.
(3) Self-regulation of KOL promotion
For those KOLs and influencers who promote projects on social media, the DEXX incident serves as a practical reminder that some advertising fees are not worth the risk; to avoid becoming targets of user criticism, KOLs must take on more responsibility in their promotional activities.
Due diligence is a basic obligation: KOLs should conduct basic project investigations before accepting promotional invitations from project parties, understanding the project's background, technical strength, and safety measures. If they find obvious issues in financial security or compliance, they should decisively refuse, regardless of how high the advertising fees are. After all, short-term gains are not enough to compensate for long-term trust losses.
Establish Risk Warnings and Disclaimers: In promotional content, KOLs should proactively inform fans of the potential risks of investment, rather than only promoting the 'high returns, low risks' aspect. Especially when promoting decentralized financial products, KOLs are advised to include clear disclaimers to remind users to invest cautiously. This not only legally protects themselves but also shows moral responsibility to fans. As opinion leaders, KOLs have a trust relationship with their fans. If the promoted project encounters issues, KOLs should take the initiative to express their stance promptly, rather than evade responsibility. This transparent communication can effectively mitigate the negative impact of the incident.
Conclusion
The DEXX incident once again proves that decentralization cannot be used as a 'protective talisman.' If the project party cannot even manage basic safety, they are playing with fire. Hacker attacks are external factors, but inadequate internal security management is the real issue. If user assets are treated lightly, the ones who will ultimately suffer are themselves.
As for those KOLs who helped attract new users, they shouldn't just look at the immediate advertising fees and casually support projects. The cryptocurrency circle is a tight-knit community, and once one's reputation is damaged, it’s not easy to recover. After all, the money of fans doesn’t come from thin air; everyone has their own judgment.