- Stars Arena was exploited today for almost $2,000 on Thursday.
- The exploit was based on a vulnerability that allowed users to drain funds from the contract.
Stars Arena developers patched a smart contract vulnerability during an ongoing heist that enabled hackers to drain almost $2,000 from its contract address.
The Avalanche-based decentralised social media protocol’s contract wallet address still holds over $1 million despite the heist.
“The exploit has been fixed, but don’t be mistaken, we are at war,’ the protocol said. “Malicious actors in the space target us, aiming to steal your money. The little guy, including you and your right to platform diversity, is under attack.”
“These actors attempted to spend $5 to drain merely $1 in TVL from our platform, effectively throwing away money just to rob you,” the team said without specifying who they suspect is behind the attack.
Stars Arena is a fork of friend.tech, a popular decentralised social media protocol that recently made up 21% of transaction fees on Coinbase’s Ethereum layer 2 blockchain Base.
Friend.tech has become a viral crypto social media app since its launch but this popularity has come at some cost for users amid a raft of sim-swap attacks.
Both protocols allow users to monetise and trade their social media clout in the form of shares.
Stars Arena launched in late September and has quickly climbed to control over $1 million in investments from users and has contributed to a rise in transactions on Avalanche.
Despite this growth, it still pales in comparison to friend.tech which holds $45 million in investments.
Users are supposed to buy these shares in exchange for Avalanche’s native crypto AVAX or sell them for AVAX.
The exploit, which involved multiple attacker wallet addresses, took advantage of a vulnerability that enabled them to sell zero shares in exchange for AVAX, essentially draining funds from the protocol’s contract address.
On-chain data, verified by reports from team members, show that close to $2,000 was syphoned from the Stars Arena contract wallet during the attack earlier on Thursday.
Despite the exploit, community members close to the developers said the situation was always under control. This is because the exploit was not economically viable.
The exploit caused a massive surge in the gas fees on Avalanche — far above the earnings from the exploit. As a result, the exploiter spent more on fees than what they earned from the heist.
“So much FUD about a Stars Arena exploit that has already been fixed, cost the attacker $0.25 to make $0.04, and the attacker extracted a sum total of only $2,000,” Avalanche founder Emin Gün Sirer posted on X, formerly known as Twitter, about the attack. “Now that it’s over, let’s get back to having fun in the arena.”
Some community members on Discord have, however, said the hack could have become more viable if gas fees became much lower before the vulnerability was patched.
The entire protocol was briefly unavailable while the team rushed to solve the problem but community members on Discord have begun to report the resumption of some services.
Stars Arena developers did not immediately respond to DL News’ requests for comment.
Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at osato@dlnews.com.