SocialFi app Stars Arena dispels ‘coordinated FUD’ after patching ‘noob’ vulnerability
A fault in the Stars Arena price function allowed hackers to escape with roughly $2,000; however, the vulnerability has since been patched.
The team behind the new Friend.tech-inspired protocol Stars Arena has dismissed what it called “coordinated FUD” after patching an exploit that saw attackers escape with $2,000 from the Avalanche-based decentralized social media platform.
In an Oct. 5 post on X (Twitter), the Stars Arena account said the exploit was fixed, adding, “Don’t get this wrong, we are at war.”
THE EXPLOIT HAS BEEN FIXED.
BUT DON’T GET THIS WRONG WE ARE AT WAR.
We’re being targeted by malicious actors in the space that want to steal your money.
The little guy is under attack.
You are under attack.
Your right to platform diversity is under attack.
Don’t get it… pic.twitter.com/DmbMdf9cAq
— Stars Arena (@starsarenacom) October 5, 2023
Pseudonymous X user “0xlilitch” took a swipe at Stars Arena, saying its “noob devs” missed patching a vulnerability in the platform’s price function allowing the attackers to sell zero user “tickets” in exchange for technically free Avalanche AVAX (AVAX) tokens.
So how is the contract getting drained right now?
THEIR getPrice() FUNCTION IS BROKEN
You can sell 0 shares and get AVAX. Yep. You can do this right now and it will work.
But where do this extra AVAX come from?
read next ⬇️ pic.twitter.com/0RM7NHxLeq
— lilitch.eth (@0xlilitch) October 5, 2023
However, the attack vector reportedly turned out to be economically unfeasible for the attackers. The exploit itself caused a major surge in the gas fees on Avalanche, which made extracting the earnings from the hack far more expensive than anticipated.
As a result, the attackers supposedly ended up spending more on gas fees than they netted from the exploit.
Ava Labs CEO Emin Gün Sirer highlighted in an X post that for every $0.04 earned from the exploit, the hackers spent an average of $0.25.
So much FUD about a Stars Arena exploit that has (1) already been fixed, (2) cost the attacker $0.25 to make $0.04, and (3) the attacker extracted a sum total of only $2,000. Now that it’s over, let’s get back to having fun in the arena.
— Emin Gün Sirer (@el33th4xor) October 5, 2023
Despite the relatively unsuccessful exploit, crypto community members were quick to lash out at the Stars Arena team.
Related: Friend.tech SIM-swap scourge continues as scammer nets $385K in Ether
The pseudonymous founder and developer of Delegate, known as “Foobar,” slammed the platform, claiming it botched its Friend.tech fork, and told Stars Arena to “delete your account and product, clownshow.”
you took a fully functional base contract and somehow added new attack vectors in your unverified fork. delete your account and product, clownshow
— foobar (@0xfoobar) October 5, 2023
Stars Arena is the latest app to join a growing roster of social finance platforms, such as Alpha on the Bitcoin network, Friendzy on Solana and PostTech on Arbitrum.
Despite the surge in similar DeSo apps, Friend.tech remains the market leader with more than $293 million in monthly trading volume and outpaces the next-closest app, PostTech, by more than $283 million.
Magazine: Blockchain detectives — Mt. Gox collapse saw birth of Chainalysis