Stars Arena, an Avalanche-based social application, was exploited on October 6th, 2023, resulting in a withdrawal of nearly $3 million in AVAX tokens. The exploit involved a smart contract vulnerability that allowed the attacker to drain funds from the contract.
Behind the Breach
A reentrancy vulnerability in the
0xA481B139a1A654cA19d2074F174f17D7534e8CeC contract was exploited to manipulate the share price so that 1 share can be sold at 274k $AVAX.
Lessons from the Incident
It appears that the contract was unaudited or poorly audited indicating a lack of basic security. It is critical to audit before deploying and to continuously re-audit codebases once changes are introduced.
On October 12th, Stars Arena decided to pay a bounty of 10% + 1000 AVAX to the alleged 'whitehat' to recover 90% of its lost funds. This is a very harmful practice, for the entire ecosystem's security. When hackers don't fully succeed with their exploits, offering them a 10% bounty, a rebranding as 'whitehats' and avoiding prosecution, sends the wrong message.
Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit https://rivanorth.com/ to find out more.
You build the future. We help you secure it.