Avalanche Stars Arena Smart contract lost $2.9 million as a result of hacking

[Carding 4 Carders]

A social app created by analogy with the Friend social network.tech and deployed in the Avalanche blockchain protocol, was subjected to a hacker attack. As a result of hacking, assets worth $2.9 million were withdrawn from the smart contract.

Experts from PeckShield, a blockchain security company, noted that according to the initial analysis, hacking the Stars Arena application and stealing assets worth about $2.9 million became possible due to the problem of re-entering the smart contract. Presumably, the hack could be related to a malfunction of the getPrice function.

The attackers used a security breach in the smart contract and the ability to re-enter to increase the share of Avalanche tokens (AVAX) accounted for by"user tickets". This way, a single Stars Arena "user ticket" could be sold at a much higher price.

The Stars Arena team has asked users not to deposit any funds until the smart contract security bug is fixed.

 

[Carding 4 Carders]

Avalanche-based SocialFi platform Stars Arena has recovered approximately 90% of the assets
lost due to the exploit. The refund was the result of negotiations with the hacker.

UPDATE:

We have recovered approximately 90% of the lost funds.

We reached an agreement with the individual responsible for the recent security breach.

The funds have been returned in exchange for a 10% bounty fee + 1000 AVAX that was lost in a bridge.

Total funds lost:…
— Stars Arena (@starsarenacom) October 11, 2023

https://twitter.com/starsarenacom/status/1712192197443883453?ref_src=twsrc%5Etfw

October 7 inspired by Friend.The tech project lost 266,103 AVAX (~$3 million at the time of the attack) due to a "serious security breach" of smart contracts. As a result of the incident, the total value of assets blocked on Stars Arena dropped to zero.

"We have reached an agreement with the person responsible for the recent security breach," the team said.

By agreement, the refund fee was 27,610 AVAX — 10% of the total amount plus 1,000 AVAX lost in the cross-chain bridge.

The hacker transferred 239,493 AVAX to the platform in two transactions.

The developers of Stars Arena also reported that after the incident, they wrote a completely new smart contract. The source code is currently being audited by Paladin Blockchain Security specialists.

UPDATE:

• Our technical team led by @0xlocrian has written an entirely new smart contract

• We are finalizing a full contract audit with @0xPaladinSec

• The contract will become open-source after the audit is concluded

• We will have a paused verified contract BEFORE…
— Stars Arena (@starsarenacom) October 11, 2023

https://twitter.com/starsarenacom/status/1712100124543918551?ref_src=twsrc%5Etfw

The team promised to cover the shortfall in funds before the platform's restart.

Recall that it was launched at the end of September as a fork of Friend.The Stars Arena app launched on Avalanche caused a sharp increase in online activity. The number of transactions in the ecosystem jumped from 790,000 to 1.2 million in less than a week.