Starchi Staking Deployer’s Private Key Compromised, Liquidity Hacked

An ex-employee of Starter is responsible for over $400k in stolen liquidity

A wallet controlled by an employee (now ex-employee) of Starter whose employment at the company was pending termination after an internal review of various controls were completed, was compromised and used to maliciously change the upgradable contract code of 2 core staking pools in Starchi — the WMATIC/START and WMATIC/ELIXIR pools — using one of the original wallets he utilized to deploy the pools. These two pools were audited by Certik and were not at risk based on the deployed code. Certik’s report can be viewed here: https://starchi.gg/PRE-Starchi-2021-12-29.pdf

The affected pools are as follows:

1. WMATIC/ELIXIR pool: https://polygonscan.com/address/0x47c7070e2fb82c5c87c57cf04bf0c74880743f79

406,618 LP tokens consisting of 43,089 MATIC (~$70K USD) and 4,074,960 ELIXIR (~$70K USD) were removed and 174,960 ELIXIR (~$2500 USD) were sold. The hacker still maintains a balance of 3,900,000 ELIXIR in their wallet.

2. WMATIC/START pool: https://polygonscan.com/address/0x86f9cf0a0cb921811496eaeb0cf15d8e250bdbbe

129,463 LP tokens consisting of 185,962 MATIC (~$310k USD) and 110,846 START ($310k USD) were removed. 50,846 START were bridged to BSC and sold for $73k USD.

The total MATIC (200,781) removed from the pools were sold for $337k USD, making the combined amount sold ~$412k USD. While this was an exploit of the Starchi Staking system, the majority of damage was inflicted on the START token.

Transactions to “upgrade” the Starchi staking contracts… https://polygonscan.com/tx/0xda8d237fecd19889e5eece67308711c6aff422b6465e832fdecee71e402f1fe4

https://polygonscan.com/tx/0x954430d93f024744f4a28ada8bae26575ffca45927a2edc3cb21ec0d2679a657

…and removing the liquidity tokens from each pool:

https://polygonscan.com/tx/0x73a3f6d90a53eb7baed8844c18e51285d8ff25cd04ef4240d2d1bcbb1c111f84

https://polygonscan.com/tx/0x7a753fcf646ae61c542ca7f5cb576866cd6504d217fa5dfacfafc798117cc6c3

The name of this employee is Pemba Sherpa, born August 25, 1984 in Kathmandu, Nepal. He has been living in Abu Dhabi, Dubai for the past several years and claimed to have attended the University of Sharjah. https://www.linkedin.com/in/pemba-gelu-s-4598891a7/. We have been quietly working on replacing Pemba over the past few months due to other encounters where his honesty and integrity were in question. Pemba has been, and continues to be, online actively chatting with our team. He vehemently denies this action to have been executed by him, and claims that his wallet was compromised as a result of a Github commit that revealed the private key (wallet: https://polygonscan.com/address/0x6B0AcEe20e7Fb17aEe8AFB9e211300b7cEc65688). He has also stolen funds that were sent to Binance on BSC chain from this wallet (0x283B3b8f340E8FB94D55b17E906744a74074cD07) as shown here: https://bscscan.com/address/0x6a62ca5e5138fd56df94fb022c153724a24e91f2 and here: https://bscscan.com/tx/0xeefaeac25631637d2c993e804939ba6bdd5d3099e4cd21570df6a4b77d2e626d

An official announcement was on hold as we have been continuously discussing this issue with Pemba in an attempt to retrieve the funds. He shared a message showing a Github commit made on March 23, 2022 @ 14:22 UTC revealing the private key of the compromised wallet: https://github.com/pemba-sherpa-999/illuvium-staking/blob/master/migrations/5_elixirlp_pool.js

The malicious upgrades to our pools were made on March 29, 2022 @ 15:19 UTC.

Upon further investigation, we discovered an original GitHub commit on Feb 11, 2022 in our private source code repository where the private key of the wallet was published (https://starchi.gg/sturdy-fiesta@6c52e41.pdf — page 18, in the line 67 of the file contract/migrations/5_elixirlp_pool.js). This is the same file Pemba made public on March 23, 2022.

Next Steps

Unfortunately, our week-long attempt to recover the funds has been unsuccessful. As a result, the funds that were staked in Starchi LP pools are irretrievable and considered permanently lost. Single-sided staking pools were not removed by the hacker, but are affected by the lack of liquidity and token dump on the market. Other than the price of the token — which is a very important metric — START tokens that were staked in Starter.xyz were also not affected by the hack.

We are still considering other options for moving forward, but are leaning toward:

1. staking requirements on future sales will remain intact, but affected wallets will be whitelisted for sales
2. issuing a new START and a new ELIXIR token
3. updated tokenomics that includes lowering the supply

Specifically for affected wallets , which are listed here (https://docs.google.com/spreadsheets/d/1G-7bwfG-cRbubXNo7HHYBXWxOf_yLZj4BKVVH290A9Y/edit?usp=sharing), we will:

1. receive new tokens on a ratio of 1:1 (unaffected wallets will receive tokens at the ratio of previous supply to new supply — e.g. if new supply for START is 500000, unaffected wallets ratio will be 2:1)
2. sharing 65% of all future 2022 IDO revenue across all chains (VIP+)
3. sharing 10% of all future 2022 IDO revenue across all chains (non VIP+)
4. automatic whitelist access to all 2022 IDOs (Platinum+)
5. migrate remaining liquidity to the new tokens
6. run a token generation event specifically to help restore liquidity

Additionally, measures have been taken to further streamline our contract deployment processes to prevent the likelihood of this recurring. We sincerely apologize to those affected by this negligence. It is a tough lesson learned but one that will only make Starter’s ecosystem and brand much stronger, more secure and sustainable for years to come.