You probably already heard it from Telegram that we got hacked just 18 hours after our awesome Pancakeswap launch. This time it’s really bad — a hacker siphoned off all the liquidity in one transaction. There is no other way to say it, but we got f*cked.
There is this one transaction that documents the actual crime that we’re still seeing too often in the blockchain world:
Binance Transaction Hash (Txhash) Details | BscScan
0x85778af13373250cd7d2a09903128c086e76bbbb5adc61b3df74ae8b126abfd8 12 hrs 1 min ago (Dec-01-2021 08:58:08 AM +UTC)…
The story here is that the hacker used a bug in our contract that allowed anyone to burn the tokens of any address. We should have restricted burning to the message sender’s own tokens.
So the attacker used a flash loan contract that performed several contract calls to perform the liquidity drain:
- receive 1 BNB from another PCS pair
- swap that 1 BNB for CLCT, PCS returned 2,860 CLCT
- the attacking contract then burned the most CLCTs the PCS pair was holding
- that resulted in a major swing in token relations CLCT / BNB which brought the price of a CLCT almost to 0.6 BNB
- after that the contract swapped the 2,860 tokens back to 1,661 BNB
The stolen funds have finally been transferred to this address which subsequently transferred the coins to Tornado Cash to cover the tracks.
How do we proceed now?
Clearly, this is a major setback for the community and us. We had just recovered from the gas problem and are now again in crisis mode. But we are strong enough to dig ourselves out again.
We will raise outside funds to restore the stolen liquidity as soon as possible. We will fix the contract issue, have it audited by Hacken to ensure there are no more security issues. Then we will restore all token holders’ balances until the time of the hack and ensure that all locked and unlocked balances from ICO investors get restored to the same point of time.
After all that there will be a new DEX launch with a brand new token, the same liquidity and token price of 21.6 cents and the trading goes on.
We, especially me, cannot stretch it enough that we are so sorry for what happened. We can only ask for your trust that it’s not been us who stole the liquidity, we will work hard to recover the losses with the launch product. We are completely convinced that we can do it.