Following a massive $285 million exploit of the crypto protocol Drift, stablecoin issuer Circle is under fire for its perceived inaction in freezing stolen assets. The incident has ignited a debate regarding the responsibilities of regulated issuers in preventing illicit fund movement.
The Incident
According to blockchain security firm PeckShield, the attacker siphoned approximately $71 million in USDC during the initial exploit. The hacker subsequently converted other stolen assets into USDC and utilized Circle’s Cross-Chain Transfer Protocol (CCTP) to bridge roughly $232 million from Solana to Ethereum, significantly complicating recovery efforts.
The Controversy: To Freeze or Not to Freeze?
Prominent blockchain investigator ZachXBT led the criticism, questioning why Circle did not act more aggressively to blacklist the attacker's wallets.
"Why should crypto businesses continue to build on Circle when a project with 9-figure TVL could not get support during a major incident?" ZachXBT wrote on X.
While Circle’s terms of service allow the company to blacklist addresses and freeze USDC tied to suspicious activity, the decision to do so is not straightforward.
Legal Risks and Regulatory Gaps
Industry experts point out that freezing assets without a court order or formal law enforcement request carries significant legal risks for issuers.
Salman Banei, general counsel at Plume, emphasized that acting without authorization could expose companies to civil liability. He advocates for legislative action to bridge this gap:
- "Lawmakers should provide a safe harbor from civil liability if digital asset issuers freeze assets when, in their reasonable judgment, there is strong basis to believe that illicit transfers have occurred."
Circle's Stance
Circle maintains that it freezes assets only when legally required. This incident underscores the growing tension for regulated entities: the need to act swiftly to curb illicit flows versus the risk of overreach in the absence of clear legal mandates.