CLCT got hacked

You probably already heard it from Telegram that we got hacked just 18 hours after our awesome Pancakeswap launch. This time it’s really bad — a hacker siphoned off all the liquidity in one transaction. There is no other way to say it, but we got f*cked.

There is this one transaction that documents the actual crime that we’re still seeing too often in the blockchain world:

The internal calls of the malicious transaction

The story here is that the hacker used a bug in our contract that allowed anyone to burn the tokens of any address. We should have restricted burning to the message sender’s own tokens.

The bug in our contract

So the attacker used a flash loan contract that performed several contract calls to perform the liquidity drain:

  • receive 1 BNB from another PCS pair
  • swap that 1 BNB for CLCT, PCS returned 2,860 CLCT
  • the attacking contract then burned the most CLCTs the PCS pair was holding
  • that resulted in a major swing in token relations CLCT / BNB which brought the price of a CLCT almost to 0.6 BNB
  • after that the contract swapped the 2,860 tokens back to 1,661 BNB

The stolen funds have finally been transferred to this address which subsequently transferred the coins to Tornado Cash to cover the tracks.

https://bscscan.com/address/0xbb1d1d435d8c2238cc65a0f427034440b00ef1d2

How do we proceed now?

Clearly, this is a major setback for the community and us. We had just recovered from the gas problem and are now again in crisis mode. But we are strong enough to dig ourselves out again.

We will raise outside funds to restore the stolen liquidity as soon as possible. We will fix the contract issue, have it audited by Hacken to ensure there are no more security issues. Then we will restore all token holders’ balances until the time of the hack and ensure that all locked and unlocked balances from ICO investors get restored to the same point of time.

After all that there will be a new DEX launch with a brand new token, the same liquidity and token price of 21.6 cents and the trading goes on.

We, especially me, cannot stretch it enough that we are so sorry for what happened. We can only ask for your trust that it’s not been us who stole the liquidity, we will work hard to recover the losses with the launch product. We are completely convinced that we can do it.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store