Statement regarding: dividend distribution vulnerability in our contract
We just wanted to take a moment and provide everyone with an update on the withdrawals/reinvesting issue.
At approximately midnight EST last night, an attacker found a vulnerability in our dividend distribution contract. He used a proxy contract to buy 50 BNB worth of KOJI and sell it in the same transaction, draining about 12 BNB out of the distributor. The attacker used the fact that our withdrawal() function was public to conduct this exploit.
This was our fault, an oversight when we migrated the contract, which by the way our contract auditor missed as well. This allowed him to bypass the non-reentrant modifier on the withdraw function, enabling him to loop thru the withdrawal function multiple times, and each time extracting .11 BNB until there was less than 1 BNB left in the distributor.
Here is what is important: the liquidity pool is safe, all team funds are safu and in the end we only lost a net of around ~5 BNB total.
Here is the breakdown of what happened:
- Attacker used a proxy contract to interface with the pancake pool/distributor directly
- 50 BNB buy bought 15B KOJI, which gave him a dividend of .11 BNB
- Using a loop, we think he was able to call the dividend withdraw function around 150 times for .11 BNB
- Then he sold all the KOJI back, but not before paying 7 BNB in taxes to our charity, admin, and the LP (2.34 BNB each). A total of 16 BNB was taken from the distributor, 4.8 of which came from his transaction alone
- 16 minus 4.8 = 11.2 minus the 7 BNB he paid in taxes = somewhere between 4 and 5 BNB (we don’t know exactly how much was in the distributor before the attack, but it was somewhere around 12 BNB)
We have since disabled deposits on the distributor, those taxes are now being held in the token contract where they are safe.
Ultimately, we are going to need to migrate to a new token contract in order to restart dividends. We though we could feed the distributor 1 BNB at a time, but the contract doesn’t know the BNB is in there. We could issue a new distributor contract, but then we would have to manually sweep the BNB from taxes over to that contract in order to pay dividends or allow people to reinvest.
The only real solution is to do a token swap, since half our liquidity is locked for 6 months.
So here is our plan of action:
- You can trade KOJI as you normally would, however you will not see your dividends increase. We are using those taxes to make everyone whole when we do the token swap
- All liquidity is safe, however half is locked for a while
- We will build a token swap contract, where you will be able to collect any pending dividends and swap your v1 KOJI to v2
- Once we have the majority of v1 KOJI, we will migrate the v2 contract with the 50% of LP that unlocks in 15 days
- We will then use the v1 tokens to extract as much liquid out of the old pool and add it to the new pool
- Everyone will get the same amount of tokens, all dividends will be received, and we can continue growing the project once this is behind us
We apologize for this oversight. If the attacker would have contacted us, we could have given him a bounty, but he chose to be petty for a few thousand dollars.
Our v2 contract will have better security measures, to be disclosed at a later time.
Please feel free to ask any questions. We wanted to find a way to fix this behind the scenes, however there are no good options. We want to be as transparent with our community as possible and not keep you guys in the dark anymore.
But we felt it was better to get a full scope of the problem/solution before letting everyone know hopefully preventing panic and FUD along the way. We thank your for your patience and hope you will stick with us during this time.
We will be conducting a live community chat in our Telegram on Dec 1st at 21:00 UTC (4PM/16:00 EST) to answer any questions you may have.
The KOJI team