Cover Protocol announced it’s exploring launching a new COVER token through a snapshot after its current one was abused in a minting attack by a “white hat” hacker on Monday morning.

The hacker, which could be an individual or a small group, claimed responsibility for an exploit in the decentralized finance (DeFi) insurance project, tricking the protocol into minting 40 quintillion COVER tokens. The hacker cashed out the tokens in other cryptocurrencies including ether, DAI and WBTC but later gave all the funds back to the protocol.

“The 4350 ETH that has been returned by the attacker will also be handled through a snapshot to the LP token holders. We are still investigating,” according to the project’s Twitter account urging its users not to buy any COVER tokens now.

Read more: Who Insures the Insurer? Cover Protocol Attack Exposes DeFi’s Promise and Peril

The development team behind Cover Protocol, which recently merged with Yearn Finance, is still investigating how exactly the hacker exploited its system. Sorawit Suriyakarn, chief technology officer at Band Protocol, said the attack appears to be related to a bug in the smart contract, where memory and storage were used incorrectly.

COVER token’s price has been on a wild ride over the last day, plummeting by over 75% to $177 on news of the hack before partially rebounding to over $240 after the hacker announced they’d returned the funds.

Coinbase said it will suspend trading of XRP, the cryptocurrency behind the U.S. Securities and Exchange Commission lawsuit against Ripple Labs last week claiming it is really a security.

Coinbase first listed XRP on its retail-facing platforms in February 2019. Starting now, XRP trading “will move into limit only,” Coinbase wrote. It will be fully suspended on Tuesday, Jan. 19, 2021, at 1 p.m. ET.

“We will continue to monitor legal developments related to XRP and update our customers as more information becomes available,” Paul Grewal, Coinbase’s chief legal officer, wrote in a blog post shared in advance with CoinDesk.

Coinbase said users’ XRP wallets will “remain available for receive and withdraw functionality after the trading suspension.”

Notably, the exchange said it will still support an upcoming airdrop of Spark tokens to XRP holders. XRP will still be supported by Coinbase Custody and in the self-custodial Coinbase Wallet.

Coinbase declined to comment beyond its written statement.

The price of XRP on Coinbase fell from $0.28 to $0.24 within the first 20 minutes of the announcement. Since the announcement of the SEC’s lawsuit last week, the price of XRP has fallen by more than 50%.

Ripple effect

For Coinbase, the reason for dropping XRP as a traded asset was simple: As the company seeks to go public, being a platform for something that’s potentially a security would mean adding more paperwork simply so it could be legally allowed to let retail customers buy and sell a single cryptocurrency.

The SEC claimed last week that XRP is a security, and that Ripple has been selling it without registering or seeking an exemption for seven years, raising $1.3 billion in the process. The legal battle itself is just beginning, and litigation might take years if Ripple fights the charge in court, as it has indicated it would.

Coinbase is now the biggest exchange to act on XRP and could serve as a bellwether for other platforms. On Friday, Bitstamp announced it would halt XRP trading and deposits for all U.S. customers on Jan. 8.

Similarly San Francisco-based OKCoin announced its XRP suspension earlier Monday, effective Jan. 4.

Exchanges that continue to list XRP without registering as a securities exchange with the SEC face potential consequences down the line, including possible enforcement actions. However, should Ripple prevail in its defense, Coinbase can likely re-list XRP fairly easily.

Alex Kruger, a trader and analyst, said, “Crypto exchanges are unregistered with the SEC (by choice, as registering carries on many burdens and increased costs) and thus it is in their best interest to not offer trading of securities. It is for their protection, not their customers’.”

Gabriel Shapiro, an attorney with Belcher, Smolen & Van Loo LLP, told CoinDesk last week that the question of whether exchanges should delist is a complicated one, with both business and legal considerations. 

UPDATE (Dec. 28, 23:35 UTC): Adds XRP price reaction.

Monday’s $4 million attack on the Cover Protocol, a decentralized insurance service, sent my mind to that classic nursery rhyme, “There Was an Old Lady Who Swallowed a Fly.”

You know, the one where an unfortunate woman keeps eating ever-larger animals to catch the previously swallowed animal. 

Decentralized finance faces a similar problem with decentralized insurance. Decentralized insurance exists to protect people from losses if a DeFi protocol’s coding flaws allows someone to attack it. But what happens when there’s a vulnerability in the insurance protocol? What do you swallow to fix that?

Now, I don’t think DeFi ends up like the old lady – “dead, of course” – from eventually having to swallow the blockchain equivalent of a horse. These kinds of live, fully public situations, with real-world losses, are what drive open-source developer communities to build better stronger systems. That prospect is strengthened by the fact that this attack came from a “white hat” hacker rather than a bona fide crook.

But the Cover story provides a sobering coda to a year of startling innovation that stirred the imagination for a new financial system unencumbered by centralized gatekeepers. It shows how far that system still needs to develop. 

Promise

This year, the DeFi “degens” showed us how to create a complete decentralized stack of virtually everything from the old, centralized system, with open protocols for exchanges, lending, borrowing, collateral management, credit default swaps and even virtual dollars. 

This is exciting, not only because removing Wall Street intermediaries could reduce costs, or at least more equitably disburse them, but because it promises an end to counterparty risk, a core problem with the incumbent system’s closed, centralized architecture. 

In the credit default swap crisis of 2008, market participants had no visibility into their counterparties’ multiple, hidden financial exposures, which is a recipe for mistrust. CDS and other contract-based instruments designed to help investors hedge their risks were dependent on the contracted parties’ ability to make good on their promises. So when people no longer believed in those promises, the rush for the exits meant those hedges were not only worthless but made matters worse. They offered nothing but systemic risk.

DeFi promises to avoid this. If a contract to deliver collateral in the event of a price reduction is executed by a protocol that draws on funds locked in decentralized escrow, with no single party in control of them, in theory counterparty risk is gone. The same theory applies to decentralized exchanges (no more Mt. Gox or QuadrigaCX), decentralized CDS and other parts of the DeFi ecosystem. 

Peril

The problem is we’ve traded counterparty risk for software risk. And one could argue that’s even riskier. The caveat emptor ethos of DeFi is great for daring-do innovation and speculative buzz, but when there’s no centralized service provider to hold accountable and when hackers using untraceable pseudonyms can easily escape law enforcement, there’s little to no legal recourse after an attack. 

For the bulk of humanity, especially the big institutions that manage our fiat savings, that scenario is untenable. 

It doesn’t matter that all those institutions face their own software vulnerabilities. (A recent report by the Center for Center for Strategic and International Studies and computer security company McAfee estimated the total cost of cybercrime, including both losses and security expenses, will exceed $1 trillion in 2020.)  It’s that if those “too big to fail” institutions’ losses get too big, whether from crime or financial panic, the government and central bank will ultimately find ways to socialize those losses. They just need an identifiable perp on which to level blame. 

A decentralized system doesn’t allow for that, which is why it needs a new model of insurance against losses. The problem with that is, well, what happened to Cover.

A way forward

For now, the solution may lie with centralized insurance systems so that there’s someone holding the bag who can be identified and sued. Those services exist and, with an insistence on thorough, ongoing and top-level code audits, some will reach enough of a comfort level to bear the risk – at a price. 

But not only will that add costs, it brings us back to the same counterparty risk problem. What happens if there’s a 2008-level system-wide crisis in DeFi?  What happens when everyone fears a breakdown and no one trusts that the overexposed insurers – or their reinsurer underwriters – have the wherewithal to cover the fallout? 

This is why, to attain the ideal, decentralized insurance is needed. It’s just that its development needs to occur live, in real-time, tested in the real world so that bugs can be exposed and patched. 

And that’s why today’s attack is actually good news. An unidentified person seemingly involved with Grap Finance finds a bug in a protocol, uses it to drain a lot of COVER tokens, giving everyone involved a short period of panic. Then in a classic white hat move, he/she/they return the funds to the Cover Protocol and publicly announce, via Twitter, that they’ve done so. 

Since then, people like Band Protocol CTO Sorawit Suriyakarn have worked to explain, in a similarly public way, how the hack occurred. While some might see that as an invitation for other hackers, it’s most importantly an alert to others within DeFi to patch similar bugs. Already, Cover has pivoted to develop a new token.

What doesn’t kill you will make you stronger. That’s the notion that will ultimately drive the DeFi ecosystem to create a scalable new model for global finance. 

It’s just not going to happen tomorrow.

OKCoin said Monday it will suspend XRP trading and deposits on its crypto exchange, effective on Jan. 4, 2021.

The exchange specified two key dates along the suspension timeline. “At 3 a.m. UTC time on January 4, the exchange’s users who have borrowed from the XRP/USD margin pair (including borrowing XRP and U.S. dollars) are required to return the borrowed value before this time at 3 a.m. UTC time on Jan. 4,” the exchange said. “Delays will trigger a liquidation by our systems to close the loan contracts.”

At 3 a.m. UTC on Jan. 5, XRP’s spot trading, margin trading and deposits will be suspended until further notice, according to the exchange.

“It is likely that this situation will take time to reach a resolution. We will proactively inform our customers when we have information that may change our position,” OKCoin said in the statement.

OKCoin became the latest exchange to delist XRP because of the U.S. Securities and Exchange Commission’s recent filing against Ripple Labs, alleging XRP is a security.