After launching our SPORTS utility token back in July 2019, it was ZenSports’ goal to then get the utility token listed on a third party exchange so that customers who use our utility token for wagering and earning rewards would have a way to cash out their tokens without ZenSports having to provide liquidity to them at a fixed price. In our quest for eventual full decentralization, we have always wanted the marketplace to decide what the token is worth and to provide that liquidity to customers, especially as ZenSports the company continues to take steps to remove itself from the process within our peer-to-peer sports betting marketplace.
Being a relatively small startup, ZenSports has not been in a position to afford multi-million dollar listing fees with exchange companies such as Binance, or even $100,000+ listing fees with certain top 10 exchanges. When we were approached by a top 40 exchange called Dcoin in September 2019 to list our SPORTS utility token with them, we thoroughly researched the company, the team, and the product. We liked that they were backed by top cryptocurrency investors in China and Switzerland, that they had a very reputable team, and that their product looked and worked great (almost a clone of Binance, with an easy-to-use UX and mobile app). At a cost of only 2 BTC, we were excited to begin working with Dcoin and their team to get our token listed with them.
On September 12, 2019, trading of our SPORTS utility token began on Dcoin. For the next 4 months, everything went smoothly — Dcoin’s team was easy to work with and get a hold of, and their product was easy to get funds into and out of as well as to conduct trades of our SPORTS token. We had every intention of keeping a long-term relationship with Dcoin as the primary third party exchange that we would use for trading of our utility token.
All of that changed earlier this month on January 9, 2020.
Before we dive deeper into the series of unfortunate events that caused us to lose faith in Dcoin and ultimately terminate our relationship with them, we first need to discuss that Dcoin is a centralized exchange, and what being a centralized exchange really means.
Blockchain vs. Centralized transactions
With blockchain transactions (otherwise known as on-chain transactions), no centralized authority holds the private keys to your wallet or the funds in your wallet. Most blockchains use a form of “proof of ownership”, which means your private keys → your wallet → your funds. No one else can get in the way between you and your money, and no one can manipulate or change that transaction in any way. In addition, all blockchain transactions are verifiable and transparent through the block explorer. If I send you one token, not only can no one change that transaction or prevent it from happening, but the actual transfer of that token is real, verifiable, and provable after the fact on the block explorer.
Centralized transactions on the other hand, are entirely managed by a third party. Your account and your funds are just a number in that third party’s database. The centralized third party that holds your funds could go in and change the number of your available balance in their database to something higher or lower at any point in time, and you would never be able to do anything about it. Hackers can do this too, which is why centralized exchanges have often been the targets of hacking. The lack of control over ones funds, or having to worry about getting a third party’s “permission” to do something is a big reason why blockchain technology is such a huge opportunity.
Back to Dcoin. They’re like most other cryptocurrency exchanges in that they’re a centralized exchange. They hold all of their coins/tokens in their own centralized wallet with only them holding the private keys to that one wallet. So again, your funds with them are actually held by them (not you), and your funds are just a number in their database. This in and of itself isn’t a terrible thing, as again, most companies and even crypto exchanges are centralized. But it’s a key concept to thoroughly understand when holding funds with a third party that you don’t really hold the private keys to your wallet, and thus, you don’t really “own” the funds.
With that stage set, below are the series of events that took place that have ultimately led to our decision to remove our SPORTS token listing from Dcoin.
- On January 9th, ZenSports transferred our 2019 Q4 dividend payment of SPORTS utility tokens to all SPORT security token wallet holders. With over 4,000 transfers needing to be made, these tokens were sent via a script — a common method for distributing tokens en masse and how we’ve always distributed large batches of tokens (whether security or utility tokens).
- Three of the receiving wallets for our most recent dividend payout were Dcoin wallet addresses. These wallet addresses (and other wallet addresses that centralized companies display to you to transfer funds into and out of) act as “temporary and pass-through” wallets on-chain, which are set up by the third party (in this case Dcoin) to immediately take a deposit that you make to that wallet and transfer those funds from “your” wallet into their on-chain custodial wallet. When you transfer money to one of these temporary wallet addresses, the transaction technically hits on-chain, but is immediately transferred to and then held by the centralized third party. The result is a number in their database displaying to you what your balance is, and the actual funds sitting in their blockchain wallet.
- Those three Dcoin receiving wallets were: hx00fbaf74ff55dfe7fe076bb9b0cc370039d82802
hx1ba842cf642d170248d21873d062bbea603fb023 hxd502c8c39b7522ccdfb423a5e16d739a632eed17 - When Dcoin received the SPORTS utility tokens for the three above wallet addresses to its actual on-chain ICONex wallet address (again, remember they’re the custodians for everyone’s funds via their one on-chain wallet), they failed to ensure the security of those three transfers. Hackers were able to go into Dcoin’s database and change the transactions to be a much larger number with several zeroes added to the end of their token balances. Of course, all of these additional tokens that they gave themselves by changing a number in the database were fake/bogus tokens not really held on-chain by them at all.
- With the new significantly larger bogus SPORTS token balance on Dcoin, these hackers were then able to sell the fake/bogus tokens to buyers within the Dcoin exchange. Again, fake/bogus tokens can only be sold or transferred if they’re just a number in the database. This could never happen on-chain.
- Dcoin suspended the trading of our token for 3 days while they researched the issue.
- ZenSports did our own research on the issue. We reached out to ICON, the developer of the protocol that our SPORTS utility token is hosted on, to have them do a forensics analysis of the situation. Here’s what exactly happened, in ICON’s words: “It seems they (Dcoin) tried to synchronize all the SPORTS token transactions by iterating block data, but this behavior is very dangerous and should be avoided. They didn’t check if those transactions have succeeded or not. They should check the status of transaction results and parse the ‘Transfer’ eventLog to get the actual token amount of transfer. Dcoin should modify their token synchronize logic to reflect the actual token transfers by inspecting the transaction results instead of the transaction data itself.”
- At this point, it was clear that Dcoin was at fault for this hack and sale of bogus SPORTS tokens. If they had then worked to correct the issue, rescind the fake/bogus trades, and restore the Tether and Bitcoin that customers in Dcoin used to pay for these bogus SPORTS tokens, it would have been annoying, but we would have continued doing business with them. Instead, what happened next was unforgivable.
- Dcoin refused to rescind the bogus trades. Prior to the breach being detected, ZenSports had spent $31,000 to buy what we thought were 235,000,000 real legitimate SPORTS tokens. Of course, these tokens turned out to be bogus SPORTS tokens dumped on us by the hackers. Dcoin refused to refund us our $31,000, even though this breach was not our fault — it was theirs.
- Dcoin suspended all customer withdrawals of SPORTS tokens for a week, and wouldn’t release them until ZenSports agreed to do what we’re about to discuss next.
- In addition to the 235,000,000 bogus SPORTS tokens bought by ZenSports, there were also approximately 71,000,000 bogus SPORTS tokens bought by other customers. Again, Dcoin refused to refund those customers the Tether and Bitcoin used to pay for those bogus SPORTS tokens. Which meant ZenSports was stuck with one of two options: 1) Let our customers take the fall and not be able to withdraw the 71,000,000 SPORTS tokens that they thought they had rightfully bought, or 2) ZenSports could take the hit on the 71,000,000 SPORTS tokens, and allow our customers that ended up buying the bogus tokens to instead get 71,000,000 real SPORTS tokens from our balance and we would lose the 71,000,000 SPORTS tokens ourselves.
Of course, we chose option 2, because while this incident was 100% not our fault, we’ve always done right by our customers and never want them to be the victims of negligence or fraud.
So here’s the net effect to ZenSports since we had our SPORTS token listed on Dcoin from September 2019 — January 2020:
- We initially deposited 200,000,000 of our own SPORTS tokens into Dcoin on the listing date in order to provide liquidity to buyers (contractually obligated to do so).
- We spent approximately $55,000 between September — January purchasing about 41,000,000 SPORTS tokens from sellers on Dcoin in order to provide liquidity to sellers (again, contractually obligated to do so).
- After the aforementioned breach, ZenSports was only allowed to withdraw 170,000,000 SPORTS tokens from Dcoin, and our SPORTS balance with them is now zero. So not only did we lose approximately $86,000 buying SPORTS tokens that we never got to keep, but we also somehow lost 30,000,000 SPORTS tokens from when we started (200M minus 170M).
Unlike ZenSports, Dcoin is not doing right by their customers (us) by making us take both a USD and SPORTS token hit due to their error. As such, we have no interest in working with them now or in the future, and we’re removing our SPORTS utility token listing from them effective immediately.
As a replacement to our Dcoin listing, we are building out our own Exchange feature within ZenSports, where our customers outside the United States can trade our SPORTS token directly in our app. This will give us full control over the customer experience and our customers will never have to worry again about what a third party might do with their funds.
Due to Money Servicing Business laws in the United States, we won’t be able to offer our proprietary Exchange within ZenSports to U.S. based residents, but we are looking at alternative third party exchanges to get our SPORTS token listed on for U.S. residents to trade. We’ll only consider exchanges based on the U.S. or EU, and those that have the highest reputations and standards.
Please email me directly at [email protected] with any questions on this story.