Stars Arena Falls Victim to Reentrancy Resulting in  a $2.9M Loss

Stars Arena Falls Victim to Reentrancy Resulting in a $2.9M Loss

·

1 min read

Stars Arena, an Avalanche-based social application, was exploited on October 6th, 2023, resulting in a withdrawal of nearly $3 million in AVAX tokens. The exploit involved a smart contract vulnerability that allowed the attacker to drain funds from the contract.

Behind the Breach

A reentrancy vulnerability in the 0xA481B139a1A654cA19d2074F174f17D7534e8CeC contract was exploited to manipulate the share price so that 1 share can be sold at 274k $AVAX.

Lessons from the Incident

It appears that the contract was unaudited or poorly audited indicating a lack of basic security. It is critical to audit before deploying and to continuously re-audit codebases once changes are introduced.

Update

On October 12th, Stars Arena decided to pay a bounty of 10% + 1000 AVAX to the alleged 'whitehat' to recover 90% of its lost funds. This is a very harmful practice, for the entire ecosystem's security. When hackers don't fully succeed with their exploits, offering them a 10% bounty, a rebranding as 'whitehats' and avoiding prosecution, sends the wrong message.


Rivanorth is a global boutique Web3 cybersecurity company. We specialise in smart contract audits and blockchain security advisory. Visit https://rivanorth.com/ to find out more.

You build the future. We help you secure it.