Novel Avalanche-based SocialFi exploited by same attacker with $2.9 million lost
A SocialFi protocol on Avalanche (AVAX) is targeted by the second attack in three consecutive days. It seems that the same malefactors might be exploiting a well-known vulnerability, while some commentators accuse the team of an insider job.
Stars Arena attacked yet again, here’s how
Stars Arena, an overhyped SocialFi protocol on the Avalanche (AVAX) blockchain, was attacked today, Oct. 7, 2023, at about 6 a.m. UTC. The aggregated losses of its liquidity ecosystem might exceed 274,000 AVAX or almost $2.9 million in equivalent, сryptocurrency security researchers PeckShield said on X.
The team of Stars Arena confirmed the fact of the “vulnerability” and asked all its users and Avalanche (AVAX) enthusiasts to avoid depositing money as an investigation is underway:
There has been a major security breach with the smart contract. We’re actively checking the issue. DO NOT deposit any funds. Stay tuned for updates
The “reentrancy bug” was abused by the attacker to maliciously adjust the price that has to be paid for one “share,” a kind of in-app currency. The attackers made it possible to buy a share and then sell it at a dramatically increased price.
It should also be noted that two days ago, soon after its launch, the Avalanche-based SocialFi was already exploited for over $1 million. As covered by U.Today previously, the attackers were able to redeem zero shares for “real” AVAX payouts.
Both Avalanche (AVAX) key figureheads and Stars Arena team representatives stressed that thanks to gas inefficiency, the attack was not so dangerous.
Community enraged: “Reentrancy attack in 2023?”
However, as it happened amid the “SocialFi frenzy” triggered by Friend.tech’s success, the Stars Arena drama caused much stir in the Web3 community.
Many commentators on X highlighted that “reentrancy” attacks are well-known malicious practices previously used for price manipulations in DeFi:
Reentry issue is a old and classical attack, should be checked in the first place , don’t understand why SA falls into such stupid bug
Also, some other speakers are accusing the team of an insider job as “vulnerable” elements of the contract seem unnecessary to them.
In 2022, this attack design resulted in $80 million lost after the Rari/Fei exploit, as U.Today reported. Also, the infamous 2016 DAO hack used this method to drain Ethereum (ETH) funds.