Overview and Background
PCL is a utility token that powers the PECULIUM ecosystem . It is used to pay fees within the SAIΞVE wealth management platform, earn rewards and gain access to unique cashback fees through the Membership program, and more. PCL is a user’s gateway to an effortless crypto investing experience. To make that gateway more accessible to the world, PCL is available on the largest blockchain in the world (Ethereum).
PCL ERC20 token was listed on the BitMart exchange by their team back in April 2020. Since then, we have worked hand-in-hand with the BitMart team.
The Incident
On Thursday 4th December 2021, at 22:35pm EST a member of the PECULIUM team noticed an abnormal transaction come from BitMart where 93 million PCL tokens were withdrawn to the Ethereum blockchain. Our team was alerted and shortly found there was a security breach on BitMart where their hot wallets had been compromised, allowing a nefarious actor to take 93 million PCL tokens from the exchange into their own wallet. At this time, the BitMart team had not made any statement.
PECULIUM took quick action. We knew that the hacker had tokens on Ethereum, our next course of action was to have a development meeting with our team, which included our team members that wrote and tested our token contracts. We needed to rule out that there was no ability to blacklist the hacker’s address via our token contract and to determine any potential adverse effects of pausing our token through the contract. Unfortunately, our token does not have a “blacklist” option. Adding this type of token functionality within a token contract is a divisive topic among cryptocurrency enthusiasts. The audited contracts for PCL can be found in our Github here.
Due to the fact that we had cornered the attacker to sell his PCL tokens, we decided against pausing the tokens and our team created an action plan of the steps we would need to promptly follow in order to deploy a new PCL token contract, where we would blacklist the hacker’s address and compensate all of our holders with a snapshot of the token holders without the attacker’s address. We contacted our partners to make sure our action plan was comprehensive, and if initiated, it would cause the smallest amount of inconvenience for our users.
Several hours after, BitMart contacted us to tell us there was a security breach and asked if we could assist them in blacklisting the hacker’s wallet address. They alerted us that they’d be contacting other exchanges to recover tokens and that BitMart would cover all losses of our users and create an action plan to resolve this issue. They asked us if a contract migration was possible, and we were able to share our action plan that had been put together.
The Aftermath
Our team has been monitoring the situation closely and have set alerts on the hacker’s addresses so that we can act promptly if any tokens are moved. We have action plans created for a wide number of scenarios to make sure that we’re able to act quickly and diligently as a team so that the impact of this situation is remedied as quick as possible.
We have read all communication put out publicly about the incident and are happy to hear that BitMart has partnered with globally respected exchanges, asset managers, and security companies to rectify the situation for all of the 45 impacted tokens and their users.
Next Steps
PECULIUM was waiting on accurate information directly from the BitMart team. Until then, we are in direct contact with bitmart waiting for a complete resolution in order of us to take the next step. All ERC20 PCL supported exchanges will be able to intercept the hacker’s PCL if they were to move them to one of their exchanges to return the tokens to the user.
The hacker’s only options are to sell on Dexes but as we’re not listed on any DEX with high liquidity, he has to abandon the tokens for no return. We will make a move forward that benefits our community in the short and long term, and BitMart has committed to compensating users who were impacted.
The decision-making process is being made transparent with our community to give confidence to our users that PECULIUM will act in their best interests during times of third-party error and crisis. We commit to working with BitMart for the best interests of our users to help in this situation where we can.
Learning Opportunities
As an industry, we need to encourage exchanges to publish more accurate information on their cold storage solutions as well as their “disaster plan” for how they will move forward in the event of a hack.
PECULIUM will only partner with organizations that commit to publicly displaying their contract and token audits to the world for the safety of our users. We commit to using best-in-class security processes internally for password and private key protection and expect that our partners do the same so that these incidents do not impact the end-users. Every project has a responsibility to make sure that we’re building our ecosystem in a sustainable manner and we thank the community for their understanding. We commend BitMart for taking action and committing to compensating all losses.
See you tomorrow for more updates!