Reflections on the Pundi AI Theft Incident: The Trade-off Between User Asset Protection and Information Transparency

On July 12, Pundi AI suffered a hacker attack, resulting in the abnormal issuance of 1 million tokens. The team quickly took action to freeze assets and initiate tracking. Ultimately, nearly 90% of the stolen funds were successfully recovered, and over one million dollars were advanced to complete full user compensation. However, Pundi AI was notified by several exchanges in South Korea to delist due to "untimely information disclosure."

To help readers understand the context of the events, here is a review of the key timeline:

• March 2: Function X announced a rebranding to PUNDIAI and a token swap to PUNDI, at which point the hacker had already infiltrated.

• July 12: Hackers launched an attack, issuing an abnormal increase of 1 million tokens; transfers were frozen on that day and tracking was initiated; that evening the CEO publicly informed the community about vulnerabilities in the contract.

• July 14: Disclose the investigation results and solutions of the attack incident to the exchange, and communicate with DAXA.

• July 28: Several South Korean exchanges announced that they will delist PundiAI on August 28.

• July 31: Official statement retrieves over 80% of assets, full user compensation completed within 11 days.

During the incident response process, Pundi AI faced a dilemma: should they prioritize ensuring user fund safety without alerting the hackers, or maintain transparency by disclosing information promptly, potentially allowing the hackers to accelerate fund transfers? Pundi AI chose the former, but also paid a price due to the "flaw" in transparency.

Co-founder Danny Lim stated that being delisted has instead unsealed the "seal" for project development, allowing for more flexible use of token economics to reward the community. Pundi AI will buy back tokens and airdrop them to users, thanking them for their support during difficult times.

Hackers exploited a vulnerability in the token migration contract to gain admin privileges ahead of deploying a new contract. This technique is very precise and requires careful timing of transactions. Danny warns all project teams planning token migrations or contract upgrades to be aware of the potential risks of "front-running attacks."

For the South Korean market, Danny pointed out that the timeliness and transparency of information are crucial. This incident has served as a wake-up call for all projects that have launched or are planning to launch in South Korea. Although the delisting has impacted Pundi AI's reputation, community users still maintain their trust, and the coin price remains relatively stable.

In the future, Pundi AI will increase its investment in decentralized exchanges, promote the new AI data product Data Pump, and implement token buyback and airdrop plans. Data Pump is a "Launchpad for AI datasets" aimed at tokenizing data, allowing users to package content data into NFTs and generate corresponding tokens for trading.

Danny believes that the bottleneck in the development of Web3 AI lies in the lack of truly useful applications that can change lives. The real value of blockchain in the AI field is to protect users' data sovereignty and privacy. He predicts that the real boom in the Web3 AI sector may have to wait for traditional AI giants to actively embrace blockchain technology and provide users with data protection features.