Starchi Staking Deployer’s Private Key Compromised, Liquidity Hacked

An ex-employee of Starter is responsible for over $400k in stolen liquidity

Starter Labs
3 min readApr 1, 2022

A wallet controlled by an employee (now ex-employee) of Starter whose employment at the company was pending termination after an internal review of various controls were completed, was compromised and used to maliciously change the upgradable contract code of 2 core staking pools in Starchi — the WMATIC/START and WMATIC/ELIXIR pools — using one of the original wallets he utilized to deploy the pools. These two pools were audited by Certik and were not at risk based on the deployed code. Certik’s report can be viewed here:

The affected pools are as follows:

  1. WMATIC/ELIXIR pool:

406,618 LP tokens consisting of 43,089 MATIC (~$70K USD) and 4,074,960 ELIXIR (~$70K USD) were removed and 174,960 ELIXIR (~$2500 USD) were sold. The hacker still maintains a balance of 3,900,000 ELIXIR in their wallet.


129,463 LP tokens consisting of 185,962 MATIC (~$310k USD) and 110,846 START ($310k USD) were removed. 50,846 START were bridged to BSC and sold for $73k USD.

The total MATIC (200,781) removed from the pools were sold for $337k USD, making the combined amount sold ~$412k USD. While this was an exploit of the Starchi Staking system, the majority of damage was inflicted on the START token.

Transactions to “upgrade” the Starchi staking contracts…

…and removing the liquidity tokens from each pool:

The name of this employee is Pemba Sherpa, born August 25, 1984 in Kathmandu, Nepal. He has been living in Abu Dhabi, Dubai for the past several years and claimed to have attended the University of Sharjah. We have been quietly working on replacing Pemba over the past few months due to other encounters where his honesty and integrity were in question. Pemba has been, and continues to be, online actively chatting with our team. He vehemently denies this action to have been executed by him, and claims that his wallet was compromised as a result of a Github commit that revealed the private key (wallet: He has also stolen funds that were sent to Binance on BSC chain from this wallet (0x283B3b8f340E8FB94D55b17E906744a74074cD07) as shown here: and here:

An official announcement was on hold as we have been continuously discussing this issue with Pemba in an attempt to retrieve the funds. He shared a message showing a Github commit made on March 23, 2022 @ 14:22 UTC revealing the private key of the compromised wallet:

The malicious upgrades to our pools were made on March 29, 2022 @ 15:19 UTC.

Upon further investigation, we discovered an original GitHub commit on Feb 11, 2022 in our private source code repository where the private key of the wallet was published ( — page 18, in the line 67 of the file contract/migrations/5_elixirlp_pool.js). This is the same file Pemba made public on March 23, 2022.

Next Steps

Unfortunately, our week-long attempt to recover the funds has been unsuccessful. As a result, the funds that were staked in Starchi LP pools are irretrievable and considered permanently lost. Single-sided staking pools were not removed by the hacker, but are affected by the lack of liquidity and token dump on the market. Other than the price of the token — which is a very important metric — START tokens that were staked in were also not affected by the hack.

We are still considering other options for moving forward, but are leaning toward:

  1. staking requirements on future sales will remain intact, but affected wallets will be whitelisted for sales
  2. issuing a new START and a new ELIXIR token
  3. updated tokenomics that includes lowering the supply

Specifically for affected wallets , which are listed here (, we will:

  1. receive new tokens on a ratio of 1:1 (unaffected wallets will receive tokens at the ratio of previous supply to new supply — e.g. if new supply for START is 500000, unaffected wallets ratio will be 2:1)
  2. sharing 65% of all future 2022 IDO revenue across all chains (VIP+)
  3. sharing 10% of all future 2022 IDO revenue across all chains (non VIP+)
  4. automatic whitelist access to all 2022 IDOs (Platinum+)
  5. migrate remaining liquidity to the new tokens
  6. run a token generation event specifically to help restore liquidity

Additionally, measures have been taken to further streamline our contract deployment processes to prevent the likelihood of this recurring. We sincerely apologize to those affected by this negligence. It is a tough lesson learned but one that will only make Starter’s ecosystem and brand much stronger, more secure and sustainable for years to come.




Starter Labs

A leading #blockchain R&D company focused on IRL incubating & coworking via @atlantachain, decentralized fundraising and play&earn game dev for #Web3