Detailing the path forward.
BitMart has committed to purchasing all STARS to compensate users. Mogul establishes Crisis Confidence Plan to give users confidence in STARS
Mogul has taken the last week to speak with BitMart and our key partners to establish a transparent path forward after BitMart exchange was hacked for 21 million STARS tokens. To read our overview on the incident and the immediate steps Mogul took to protect our users visit here.
We appreciate our community’s patience, support, and discussion on this topic. Our highest priorities during this decision were to ensure our community members were compensated by BitMart and the longevity of STARS – the token that powers the Mogul ecosystem. This error has brought light on the importance of security within decentralized networks and is a great example of why at Mogul we audit our smart contracts with the best security firms in the world and use best-in-class security protocols for our internal development procedures.
- BitMart has committed to purchasing 21 million STARS from the market to make sure that every user on their exchange has the ability to withdraw. They have told us that they will not be operating on fractional reserves
- Mogul STARS token will continue with the current token contract unless the Crisis Confidence Plan below is initiated
- The bridge from ERC20 to BEP20 STARS will be reopened
- Mogul has created a Crisis Confidence Plan in the event the hacker moves their STARS tokens
BitMart has told Mogul they are working with the FBI, top world security firms, and asset managers to make sure they minimize the impact and recover the funds that were stolen and other externalities caused by their security errors.
Mogul will not be issuing a V2 of STARS tokens for the following reasons:
- The risk of hacker funds being moved is deemed very low
- The operational time and cost to do a V2 of a token have been estimated to be well in the 6 figures. We feel this capital should go toward marketing and further improving Mogul products for our end-users
- V2 of a token causes significant user confusion
- BitMart has committed to funding the repayment of all impacted users
The BitMart hacker is still holding 19 million STARS tokens. You can view their wallet here. Mogul does not have the ability in our token contract to blacklist their address.
The industry feels that the risk the hacker returns to this wallet is very low for the following reasons:
- In the event of a hack, the last action the hacker takes with a wallet is typically to use Tornado Cash to withdraw the ETH they plan to try and run away with. This is precisely the last action that this wallet has taken and it has been five days since their last move
- The wallet has been identified by many top security experts (and industry aggregators such as Etherscan and Certik) as a hacked wallet, and therefore any additional movement from that wallet puts the hacker at more risk to get caught (returning to the scene of the crime). This is and will be moving forward one of the most highly tracked wallets in the industry
- The amount of funds in the wallet, compared to the amount that the hacker withdrew is considerably low and rather illiquid. As of December 10th, the tokens total ~$21 million in this wallet, but the true liquidity of selling these 46 tokens would be a small fraction of that amount and require hours of transactions to occur (increasing the risk of the hacker making a mistake and exposing themselves)
- The hacker actually APPROVED STARS to sell them through the 1inch router but did not sell any tokens through this wallet. We believe the reason for this is because Mogul acted very quickly to alert our community and many community members pulled their liquidity from Uniswap. Mogul also shut down the bridge from ERC20 to BEP20 so that was the hacker’s only option to sell their STARS on Uniswap for very little. The fact that they approved the token and then decided not to transact gives a possible signal that they left their STARS without selling in this wallet
- There is a risk that the hacker tries to sell the wallet to someone else for a discounted rate of the total tokens. This risk is thought to be low because of the lack of liquidity on the tokens and the additional risk of the hacker exposing their identity. Also, the aforementioned reasons of how public this wallet address is and how it would be risky for an attacker to spend multiple hours liquidating these tokens to expose their identity.
For these reasons, it is highly likely that this wallet with 19 million STARS tokens has been abandoned and will not be touched again. This means, in theory, that these 19 million tokens are no longer part of the circulating supply of STARS.
Mogul Crisis Confidence Plan
Despite the risk of the 19M STARS tokens being very low that they will ever be moved, Mogul has still created a Crisis Confidence Plan to make sure we give our community the confidence they deserve to use STARS moving forward. Mogul and STARS will continue to thrive as the world’s top project where Hollywood and blockchain meet.
We have automated alerts that will alert senior members of our team when there is any movement with this wallet. We have established different plans according to the different actions the hacker can take. Detailed internal action plans are in place for selling or bridging events so that our team can act quickly.
- Hacker sells tokens on Uniswap into minimal liquidity
- Mogul & partners will purchase them back
- Hacker moves tokens to a different wallet
- Mogul monitors that wallet until a sell or bridging event is triggered
- Hacker bridges their tokens to BEP20 (where the majority of Mogul activity occurs
- AnySwap will pause the bridge, and Mogul will pause the token and immediately pause the STARS token to issue a V2 of the token
IF a STARS V2 is triggered (which is very unlikely), the following actions will take place to make sure all user funds are safe:
- Mogul has written a new STARS smart contract and is in the process of auditing it
- Contract may include LERC20 standards to prevent this situation from happening again, where our community will have the ability to blacklist an address and transfer out their funds after a vote.
- This is a contentious feature, and we will only implement this if we have the support of the community – it can be turned on and off.
- Mogul has changed the existing NFT marketplace, voting, and farming contracts to support STARS V2
- Mogul will take a snapshot at the exact time of the V2 trigger to obtain all address and balance data.
- Mogul will deploy the new smart contracts from our public deployment contract.
- Mogul will use Bulk Sender to issue the V1 holders their exact balance of V2 tokens.
- Mogul will work with AnySwap to create a new ERC20 BEP20 bridge contract
- Mogul will work with all exchanges to make sure that they support STARS V2 with their existing user balances
- Mogul will immediately notify Coingecko and CoinMarketCap to track the new token
- Mogul will work with BSC Scan and Ether Scan to properly label the contracts and verify their authenticity
- Mogul will change all documentation to point to the proper links and contract IDs so that no users have confusion moving forward
- Mogul will make adjustments to our platform to make sure that V2 STARS is reflected throughout the entire ecosystem
- Mogul will add additional trained support staff to make sure that all users know how to access their STARS V2
- Mogul will provide public documentation on our website and in our Intercom support system to make sure that all existing users have access to the official information
- Nearly 5M tokens have been withdrawn from Bitmart already without issue. To facilitate this, BitMart would have needed to acquire STARS
- Mogul will not be issuing tokens to BitMart from our treasury to compensate users.
- BitMart has not shown Mogul proof-of-payment to acquire STARS tokens. They have been advised against this due to possible price manipulation.
- Mogul has been approached by several new partners to establish key relationships to make STARS more accessible with more widely used and reputable exchanges that meet our rigorous security standards for partnerships
- Mogul will only partner with projects that publicly display proofs of their audits
- Statements presented in this article are based on Telegram messages from official BitMart team members sent to Mogul representatives
An AMA will be conducted with the community next week to answer all questions you may have.
Thank you, Moguls for your patience. Now we move forward!