Published
6 months ago on
October 12, 2023
Table of Contents
Stars Arena, a Web3 social media platform, has revealed that it has managed to recover nearly all the stolen crypto lost during a hack that took place on the 7th of October.
The platform revealed it had reached an agreement with the hacker and agreed to pay a bounty along with 10% AVAX.
The Stars Arena Hack
Stars Arena is an on-chain social app built on the Avalanche blockchain. The platform fell victim to a hack on the 7th of October when hackers took advantage of a vulnerability in its smart contracts system and managed to siphon off funds. In the end, the protocol acknowledged it had lost around $2.9 million thanks to a major breach in a series of posts on X.
“There has been a major security breach with the smart contract. We’re actively checking the issue. DO NOT deposit any funds. Stay tuned for updates.”
In a preliminary analysis of the attack, blockchain security firm Peckshield indicated that the attack was possible thanks to a reentrancy exploit in Stars Arena’s shares contract. This allowed hackers to sell assets on the platform at a higher price than previously established.
“The reentrancy is abused to update the weight when the share/ticket is issued so that 1 share can be sold at a much higher price ~274k $AVAX.”
The community was first alerted about the hack shortly after, with the team calling it a major security breach. In subsequent updates, Stars Arena stated that it had secured funding to plug loopholes left by the exploit and had also reached out to a development team to conduct a full security audit. Just days earlier, Stars Arena was hit by another smaller exploit. However, according to the protocol, the hackers could steal only around $2000.
The exploit was caused because Stars Arena developers missed a vulnerable price function in its smart contract. This allowed the exploiter to sell user shares and get AVAX in return. Stars Arena has claimed it has patched this vulnerability.
“So, how is the contract getting drained right now? THEIR getPrice() FUNCTION IS BROKEN. You can sell 0 shares and get AVAX. Yep. You can do this right now, and it will work.”
Stolen Funds Recovered
Following the hack, Stars Arena, in a post on X published on the 11th of October, stated that around 90% of the 266,000 Avalanche (AVAX) tokens stolen, worth around $3 million, had been returned by the hacker. The protocol reached an agreement with the hacker and paid out a 27,610 AVAX bounty worth nearly $257,000 to the hacker. The bounty also included compensation for 1000 AVAX tokens worth $9000 that the hacker lost in a bridge.
Stars Arena, in a post on X, stated,
“UPDATE: We have recovered approximately 90% of the lost funds. We reached an agreement with the individual responsible for the recent security breach. The funds have been returned in exchange for a 10% bounty fee + 1000 AVAX that was lost in a bridge. Total funds lost: 266,104 AVAX Funds returned: 239,493 AVAX in two transactions of 119,246 AVAX Bounty: 26,610 AVAX + 1000 AVAX = 27,610 AVAX.”
New Smart Contract
In a separate post on X, the Stars Arena added its technical team had written a completely new smart contract and was finalizing an audit of the new contract before placing the returned funds and launching.
“Our technical team led by @0xlocrian has written an entirely new smart contract. We are finalizing a full contract audit with @0xPaladinSec. The contract will become open-source after the audit is concluded. We will have a paused verified contract BEFORE relaunch. The funds secured to close the gap will be transferred directly to the contract following audit completion. In parallel, we are load-testing our servers to handle the traffic on relaunch. We can’t wait to welcome you back to the Arena.”
Other Major Hacks
Pseudo-anonymous hackers have made quite a mark, signing transactions after an attack. After the 2021 Poly Network hack, the hacker teased the community using signed messages while threatening to delay the return of funds. Meanwhile, other users used sign messages to ask for donations from the hacker. In March, the hacker behind the Euler Finance hack returned over $120 million back to the protocol, issuing an apology using signed messages.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Investment Disclaimer
