Overview and Background
STARS is a utility token that powers the Mogul ecosystem on our platform. It is used to buy NFTs, earn rewards, gain access to unique content, and more. STARS is a user’s gateway to where Hollywood and blockchain meet. To make that gateway more accessible to the world, STARS is available on the largest blockchain in the world (Ethereum) and the fastest growing blockchain (Binance Smart Chain).
The STARS token is critical to the Mogul ecosystem, where our mission is rooted in the decentralization and inclusion in Hollywood through NFTs, DeFi and the Metaverse.
STARS ERC20 token was listed on the Bitmart exchange by their team this past April. Since then, we have worked well with the Bitmart team. Last week, we had correspondence with the Bitmart team to support BEP20 STARS due to the increasing demand for it.
The community has independently given additional utility to STARS outside of the Mogul platform on decentralized, community-run platforms such as ApeSwap, UniSwap and Pancake Swap. Each of these platforms support STARS and have liquidity on them, provided from the community, required to swap tokens and earn rewards.
The Incident
On Saturday at 7:45pm EST a member of the Mogul team noticed an abnormal transaction come from Bitmart where 19 million ARS tokens were withdrawn to the Ethereum blockchain.
Our team was alerted, and shortly found there was a security breach on Bitmart where their hot wallets had been compromised, allowing a nefarious actor to take 21 million STARS tokens from the exchange into their own wallet. At this time, the Bitmart team had not made any statement.
Mogul took quick action. We knew that the hacker had tokens on Ethereum, and that Uniswap only had ~ 15 ETH of liquidity (versus $2m+ on BSC), so we worked with the AnySwap team to immediately pause the bridge from ERC > BEP to corner the attacker and prevent them from accessing any cross-chain liquidity to sell their tokens. This isolated the problem immediately and gave assurances to our users.
Our next course of action was to have a development meeting with our team, which included our team members that wrote and tested our token contracts. We needed to rule out that there was no ability to blacklist the hacker’s address via our token contract and to determine any potential adverse effects of pausing our token through the contract. Unfortunately, our token does not have a “blacklist” option. Adding this type of token functionality within a token contract is a divisive topic among cryptocurrency enthusiasts. The audited contracts for STARS can be found in our Github here.
Due to the fact that we had cornered the attacker to a (relatively) small amount of liquidity to sell their tokens into, we decided against pausing the tokens and our team created an action plan of the steps we would need to promptly follow in order to deploy a new STARS token contract, where we would blacklist the hacker’s address and compensate all of our holders with a snapshot of the token holders without the attacker’s address. We contacted our partners to make sure our action plan was comprehensive, and if initiated, it would cause the smallest amount of inconvenience for our users.
Several hours after closing the bridge, BitMart contacted us to tell us there was a security breach and asked if we could assist them in blacklisting the hacker’s wallet address. They alerted us that they’d be contacting other exchanges to recover tokens and that BitMart would cover all losses of our users and create an action plan to resolve this issue. They asked us if a contract migration was possible, and we were able to share our action plan that had been put together.
The Aftermath
Our team has been monitoring the situation closely and have set alerts on the hacker’s addresses so that we can act promptly if any tokens are moved. We have action plans created for a wide number of scenarios to make sure that we’re able to act quickly and diligently as a team so that the impact of this situation is remedied as quick as possible.
We have read all communication put out publicly about the incident and are happy to hear that Bitmart has partnered with globally respected exchanges, asset managers, and security companies to rectify the situation for all of the 45 impacted tokens and their users.
Next Steps
Mogul is waiting on accurate information directly from the Bitmart team. Until then, we have incomplete information to decide on a next step.
As it stands right now, all ERC20 STARS supported exchanges will be able to intercept the hacker’s STARS if they were to move them to one of their exchanges to return the coins to the user, and there is only 15 ETH in liquidity on Uniswap. If you have liquidity on Uniswap. we suggest removing the liquidity.
The hacker’s only options are to sell on Uniswap for the amount of liquidity that remains there or abandon the tokens for no return. We will make a move forward that benefits our community in the short and long term, and Bitmart has committed to compensating users who were impacted.
The AnySwap bridge is still paused. If you have used the bridge while it has been paused, the AnySwap team has informed us that these are recoverable and we will address this situation once we hear back from Bitmart.
The decision-making process will be made transparent with our community to give confidence to our users that Mogul will act in their best interests during times of third-party error and crisis.
We commit to working with Bitmart for the best interests of our users to help in this situation where we can.
Learning Opportunities
As an industry, we need to normalize double audits and encourage exchanges to publish more accurate information on their cold storage solutions as well as their “disaster plan” for how they will move forward in the event of a hack.
Mogul will only partner with organizations that commit to publicly displaying their contract and token audits to the world for the safety of our users. We commit to using best-in-class security processes internally for password and private key protection and expect that our partners do the same so that these incidents do not impact the end users. Every project has a responsibility to make sure that we’re building our ecosystem in a sustainable manner and we thank the community for their understanding.
We commend BitMart for taking action and committing to compensating all losses.
