December 7, 2021 - Mogul Productions

Overview and Background

STARS is a utility token that powers the Mogul ecosystem on our platform. It is used to buy NFTs, earn rewards, gain access to unique content, and more. STARS is a user’s gateway to where Hollywood and blockchain meet. To make that gateway more accessible to the world, STARS is available on the largest blockchain in the world (Ethereum) and the fastest growing blockchain (Binance Smart Chain).

The STARS token is critical to the Mogul ecosystem, where our mission is rooted in the decentralization and inclusion in Hollywood through NFTs, DeFi and the Metaverse.

STARS ERC20 token was listed on the Bitmart exchange by their team this past April. Since then, we have worked well with the Bitmart team. Last week, we had correspondence with the Bitmart team to support BEP20 STARS due to the increasing demand for it.

The community has independently given additional utility to STARS outside of the Mogul platform on decentralized, community-run platforms such as ApeSwap, UniSwap and Pancake Swap. Each of these platforms support STARS and have liquidity on them, provided from the community, required to swap tokens and earn rewards.

The Incident

On Saturday at 7:45pm EST a member of the Mogul team noticed an abnormal transaction come from Bitmart where 19 million ARS tokens were withdrawn to the Ethereum blockchain.

Our team was alerted, and shortly found there was a security breach on Bitmart where their hot wallets had been compromised, allowing a nefarious actor to take 21 million STARS tokens from the exchange into their own wallet. At this time, the Bitmart team had not made any statement.

Mogul took quick action. We knew that the hacker had tokens on Ethereum, and that Uniswap only had ~ 15 ETH of liquidity (versus $2m+ on BSC), so we worked with the AnySwap team to immediately pause the bridge from ERC > BEP to corner the attacker and prevent them from accessing any cross-chain liquidity to sell their tokens. This isolated the problem immediately and gave assurances to our users.

Our next course of action was to have a development meeting with our team, which included our team members that wrote and tested our token contracts. We needed to rule out that there was no ability to blacklist the hacker’s address via our token contract and to determine any potential adverse effects of pausing our token through the contract. Unfortunately, our token does not have a “blacklist” option. Adding this type of token functionality within a token contract is a divisive topic among cryptocurrency enthusiasts. The audited contracts for STARS can be found in our Github here.

Due to the fact that we had cornered the attacker to a (relatively) small amount of liquidity to sell their tokens into, we decided against pausing the tokens and our team created an action plan of the steps we would need to promptly follow in order to deploy a new STARS token contract, where we would blacklist the hacker’s address and compensate all of our holders with a snapshot of the token holders without the attacker’s address. We contacted our partners to make sure our action plan was comprehensive, and if initiated, it would cause the smallest amount of inconvenience for our users.

Several hours after closing the bridge, BitMart contacted us to tell us there was a security breach and asked if we could assist them in blacklisting the hacker’s wallet address. They alerted us that they’d be contacting other exchanges to recover tokens and that BitMart would cover all losses of our users and create an action plan to resolve this issue. They asked us if a contract migration was possible, and we were able to share our action plan that had been put together.

The Aftermath

Our team has been monitoring the situation closely and have set alerts on the hacker’s addresses so that we can act promptly if any tokens are moved. We have action plans created for a wide number of scenarios to make sure that we’re able to act quickly and diligently as a team so that the impact of this situation is remedied as quick as possible.

We have read all communication put out publicly about the incident and are happy to hear that Bitmart has partnered with globally respected exchanges, asset managers, and security companies to rectify the situation for all of the 45 impacted tokens and their users.

Next Steps

Mogul is waiting on accurate information directly from the Bitmart team. Until then, we have incomplete information to decide on a next step.

As it stands right now, all ERC20 STARS supported exchanges will be able to intercept the hacker’s STARS if they were to move them to one of their exchanges to return the coins to the user, and there is only 15 ETH in liquidity on Uniswap. If you have liquidity on Uniswap. we suggest removing the liquidity.

The hacker’s only options are to sell on Uniswap for the amount of liquidity that remains there or abandon the tokens for no return. We will make a move forward that benefits our community in the short and long term, and Bitmart has committed to compensating users who were impacted.

The AnySwap bridge is still paused. If you have used the bridge while it has been paused, the AnySwap team has informed us that these are recoverable and we will address this situation once we hear back from Bitmart.

The decision-making process will be made transparent with our community to give confidence to our users that Mogul will act in their best interests during times of third-party error and crisis.

We commit to working with Bitmart for the best interests of our users to help in this situation where we can.

Learning Opportunities

As an industry, we need to normalize double audits and encourage exchanges to publish more accurate information on their cold storage solutions as well as their “disaster plan” for how they will move forward in the event of a hack.

Mogul will only partner with organizations that commit to publicly displaying their contract and token audits to the world for the safety of our users. We commit to using best-in-class security processes internally for password and private key protection and expect that our partners do the same so that these incidents do not impact the end users. Every project has a responsibility to make sure that we’re building our ecosystem in a sustainable manner and we thank the community for their understanding.

We commend BitMart for taking action and committing to compensating all losses.

‍

This post recaps the AMA with Beefy Finance Strategy Leader and Developer, Weso that took place on the Mogul Official Discord Server on Monday, December 6th.

Can you please introduce yourself and what you do with Beefy Finance 😁

Weso: Sure thing

I am the Strategic Partnership leader currently at Beefy Finance. I have been a developer at Beefy since a few months after launch and now am helping further expand our partnership network.

Question 1: What does partnering with Beefy help projects like Mogul to do?

Weso: Beefy Finance is at its core a multichain yield optimizer. We have over $1.2B TVL across 10 blockchains with over 700 vaults. We give users the ability to gain compound interest in their assets by farming for them and harvesting their farm rewards for more of their deposited assets. So that means when you deposit STARS-BNB LP on Beefy you will get more STARS-BNB taking advantage of the exponential nature of compounding. Since we have such a diverse user base, this brings a lot of reach to new projects. Beefy also drives liquidity by increasing the farm TVL.

Question 2: Two weeks ago, Mogul and Beefy announced the boosted APY, can you tell us more about that. There are a lot of new people here on the server so it’ll be great if you explain a little bit about it.

Weso: As part of our partnership with Mogul we were able to boost our STARS-BNB LP Vault. So not only are you earning your compounded return on STARS-BNB, you can choose to boost your vault and earn more STARS. The boost is a great mechanism for exposure. We have around 143,000 users on BSC alone. We have great participation with our boosted vaults and gives us a great opportunity for co-marketing.

Question 3: Now that we’re talking about great opportunities, what other opportunities can we expect to see between Mogul and Beefy?

Weso: I think the opportunity for partnership is multi-faceted. We both have unique user bases that we can really engage within our marketing efforts. Innovation in the NFT space is happening rapidly, there might be some unique and fun initiatives that we can tailor around NFTs. We also have multiple products that have been created or are in the process of being created under the Beefy umbrella-like Moonpots that have potential partnership opportunities. There is definitely some synergy we can tap into between the two projects in the coming months.

Question 4: There are many great things about Beefy Finance, can you please tell us how does Beefy differs from Alpaca?

Weso: Sure, Alpaca is leveraged yield farming. This is a different take on yield optimization, obviously slightly riskier, and usually caters to different users. Beefy has more breadth of vaults, so we work a lot on the different partnership opportunities in the different ecosystems. Partnering with Beefy means that you made it through our contract auditing process and you meet our safety criteria.

Question 5: @buzzmogie wants to know about Moonpots. So my next question is what other products is Beefy building on the roadmap? Can you give us some information about it without getting in trouble haha

Weso: Sure thing haha

Moonpots is live right now. It’s a win-win lottery. It works like this. Users stake their assets on Moonpots, Moonpots stakes them on Beefy and the user earns 50% of the APY they would normally. The other 50% goes into a prize pool and once every two weeks 5 winners split the pot. Moonpots just launch NFT pots and some other fun games as well.

On the roadmap for Beefy, moooore blockchains. You will continue to see us expanding to more blockchains in the very near future. We also have Beefy Grants, which is a $1M builder initiative. We are currently and will continue to fund new products built on top of Beefy, also mentor them and help them launch. We have a few that already received grant approvals and are building as we speak. Lastly, you can expect Beefy Avatars, our first NFT launch.

Question 6 (Bustin Jieber): Can you think of some concrete examples of Mogul and Beefy cooperation in the future?

Weso: At bare minimum co-marketing. We can help with product launches for Mogul and would like to be able to market Beefy as a brand to Mogul stakeholders.

Question 7: How can people apply for the Beefy Grant? What’s the process like?

Weso: We have our forum in the footer on the Beefy app. Anyone can write up their proposal and come have an active conversation around it in our community. Once the details get ironed out, they will be submitted for a snapshot vote for funding.

Question 8 (MageFrost): Hacks are occurring more frequently and many yield optimization platforms have been hacked. What is Beefy Finance’s approach to this hacking risk and what insurance policies are in place?

Weso: Hacks occur for a multitude of reasons. We are security-focused and try to decentralize Beefy as much as we can. Our vault and strategy contracts are owned by timelock, the timelock is owned by 3 signers 5 people multi-sig. This eliminates the centralization control risk if let’s say private keys are stolen. We also don’t rely on any oracles so nothing at a price level can be manipulated. In addition, we have a partnership with InsurAce that will allow you to insure your assets in Beefy vaults across multiple blockchains. We have Certik audits and an immunefi bounty. We also do loads of due diligence checks on the underlying platforms we vault. We have all our safety standards detailed out in our docs.

Question 9 (BeefyCow): What awesome movie would you have starred in if had the chance?

Weso: Goodfellas

Question 10 (MageFrost): What do you think is a feature in the Traditional Finance world that has not been properly built out yet in the Defi world?

Weso: I think options and futures markets are still young. We see some opportunities available for these on ETH but they will really open the door to securing a portfolio through hedging.

Question 11 (Sol): I love the moonpots approach; what has been the feedback so far?

Weso:Moonpots has done well so far, there was a lot of excitement at launch. Each week there are new POTS available, I think the NFT pots have delivered nice engagement recently. Moonpots will be multichain as well, so that’s when we will really see fun products.

Question 12 (Buzzmogie): how do u become eligible for a grant?

Weso: Anyone is eligible, you just need to post and discuss the idea in our forum. If it improves the Beefy Ecosystem I am sure the community would love it.

Question 13: Thank you so much, Weso! It was great doing this AMA with you 🌟

Weso: Can you please share yours and Beefy’s social links so the community can follow you guys and get updated with all the latest news about Beefy 🐮

You can find me on Twitter @w3soBeefy and follow for Beefy updates @beefyfinance. Can also join our discord with this link https://discord.gg/swEp5b7R