Avalanche-based StarsArena suffers $2.9M exploit; claims to have effected patch

Stars Arena, a friend.tech-inspired social finance platform built on Avalanche, was targeted by a hacker who exploited a vulnerability in the platform’s smart contracts. Following the security breach, the hacker was able to access and withdraw funds from user accounts, causing significant losses for many users.

Stars Arena is a socialFi platform that allows creators to monetize their expertise. The platform offers creators the unique opportunity to sell “tickets,” essentially shares of their knowledge, to their dedicated followers. The SocialFi dApp was built on the Avalanche blockchain, allowing users to make transactions using Avalanche’s native cryptocurrency ($AVAX) to ensure speed and security.

A report from their official account on X (formerly Twitter) stated that their platform experienced a security breach, advising users to pause all activities on the platform and wait for updates as the team works to fix the issue. 

There has been a major security breach with the smart contract.

We're actively checking the issue.

DO NOT deposit any funds.

Stay tuned for updates.

— Stars Arena (@starsarenacom) October 7, 2023

A user on X (formerly Twitter) responding to the event of the hack, tracked down the address of the hacker showing all the exploited $AVAX being drained into that particular contract address. 

looks like all the exploited $AVAX is going to this contracthttps://t.co/AKA7cPehfp

seemingly the same exploit they stated was a nothingburger only a day ago? https://t.co/C4qTKjzNRT pic.twitter.com/c2m6MMlbtK

— L (@0xLawliette) October 7, 2023

An analysis of the exploit was reported from the Beosin account on X (Twitter), saying that the platform’s smart contracts, which are not open-source, were vulnerable to a reentrancy attack. This allowed the hacker to access and withdraw funds from user accounts, causing significant financial damage of $2.9M worth of $AVAX.  

Analysis of the Stars Arena exploit:🔽

The contract is not open source, there seems to be a reentrancy vulnerability.

During the call of the 0xe9ccf3a3 function, the attacker reentered and called the 0x5632b2e4 function, setting a block height.

Then, in the sellShares… https://t.co/ca4ngjFl2J pic.twitter.com/EDilKkpRte

— Beosin Alert (@BeosinAlert) October 7, 2023

In an Oct. 5 post on X (Twitter), the Stars Arena account announced a recent exploit in their platform which allowed the attackers to steal $2,000 from the Avalanche-based decentralized social media platform, reporting the issue to have been fixed, adding, “Don’t get this wrong, we are at war.”

THE EXPLOIT HAS BEEN FIXED.

BUT DON’T GET THIS WRONG WE ARE AT WAR.

We’re being targeted by malicious actors in the space that want to steal your money.

The little guy is under attack.

You are under attack.

Your right to platform diversity is under attack.

Don’t get it… pic.twitter.com/DmbMdf9cAq

— Stars Arena (@starsarenacom) October 5, 2023

The previous exploit in their platform caused a major surge in the gas fees on Avalanche, which made the withdrawal of the earnings from the hack far more expensive than anticipated.

The Stars Arena team has taken steps to secure the platform and fix the recent security breach, while also working on compensating affected users, but many questions remain about the incident and how it could have been prevented. Stars Arena is the latest app to join a growing roster of social finance platforms, such as Alpha on the Bitcoin network, Friend.tech on Ethereum and PostTech on Arbitrum.

Important news: we have secured the resources to close the gap caused by the exploit.

Additionally, a special white hat development team is coming in to rapidly review the security of the platform.

We will re-open the contract with all the funds in full after a full security…

— Stars Arena (@starsarenacom) October 7, 2023

Read also: Benchmarking in Web3: the past, present, and the future