Avalanche project Stars Arena suffers $2.9M exploit, leaving smart contract with just $0.051
Hackers exploited a vulnerability on Oct 7 and drained $2.9 million worth of Avalanche (AVAX) tokens from the smart contract of Stars Arena, an Avalanche-based social token platform. The vulnerable smart contract was used to secure tokens on the platform.
In a post on X, Star Arena noted that the platform is still under a Distributed Denial of Service (DDoS) attack. In a DDOS attack, bad actors disrupt the regular functioning of a platform by overwhelming it with a flood of traffic.
Star Arena added:
“We are working on a solution to get everyone’s funds recovered and have the Arena move forward.”
Blockchain security firm PeckShield first identified the attack and attributed it to a reentrancy issue. A reentrancy issue refers to a security flaw that allows an external contract or attacker to repeatedly call back into the vulnerable contract’s functions before the previous calls have been completed.
According to PeckShield, the reentrancy issue allowed the attackers to represent chat room access and sell tickets at exorbitant prices reaching as high as $2,740 each.
While the breach did not impact tokens in user wallets, users cannot realize any value by selling tickets they own.
The exploited vulnerability has depleted the value locked in Stars Arena’s smart contract to just $0.051, according to DefiLlama data. The platform has cautioned users against depositing any funds on the platform.
Previous attack
Stars Arena, an iteration of FriendTech, offers tokens for purchase, granting access to individual chat rooms. These tokens typically follow a bonding curve, increasing in price as more users acquire them. Transaction fees on such platforms are relatively high, with FriendTech imposing a 10% fee on each transaction, divided between the app and the platform’s owner.
Stars Arena had previously faced a smaller vulnerability that allowed the unauthorized draining of AVAX coins from its smart contract. However, since the issue was challenging to exploit, few funds were lost before it was rectified.
At the time, Ava Labs CEO Emin Gun Sirer dismissed security concerns as malicious actors spreading “FUD” (fear, uncertainty, and doubt).
