From Exploit to Recovery: Unpacking the Stars Arena Hack

Stars Arena faced a significant hack due to a re-entrance vulnerability in its smart contract. Post-hack, 90% of the drained funds were recovered through negotiations with the hacker. The incident highlighted the importance of using established libraries in DeFi to prevent such known vulnerabilities.

On October 7, 2023, the blockchain community was rattled by the news of a significant hack on Stars Arena, a burgeoning social platform on the Avalanche C-Chain. The exploit led to a loss of approximately $3 million in AVAX tokens. This incident highlighted the vulnerabilities inherent in emerging blockchain platforms while also showcasing the resilience and response mechanisms that such platforms can adopt in the face of adversities. Here’s a detailed exploration of the Stars Arena hack, its aftermath, and the broader implications for the Avalanche ecosystem.

Unveiling the Attack

The attackers smartly targeted a vulnerability in a smart contract of Stars Arena, coupled with a Distributed Denial-of-Service (DDoS) attack, to drain a substantial amount of AVAX tokens from the platform.

Avascan was the first in spotting and unveiling the huge 266k AVAX hack on Stars Arena; Through their Twitter post, they brought the initial exploit to light, providing a crucial alert to the community and the Stars Arena team.

https://x.com/AvascanExplorer/status/1710539190855753811?s=20

Later the vulnerability was identified as a re-entrance issue by security analysts from PeckShield, which enabled the hackers to sell tickets at inflated prices, thereby exploiting the smart contract to their advantage.

We will discuss the re-entrancy attack by revealing the second attack by the hacker later in this article.

The Hack Unfolds

Initially, on October 5, 2023, an exploit based on a smart contract vulnerability was identified which allowed users to drain funds from the contract. This attack was counterproductive because it required burning more fee gas than what could be drained.

During the first attack on October 5, 2023, the following transactions were noted:

• Bridge Transaction from Fixed Float: 0x18018972c4631e510f3b4af7a6cf2149ae37f64d17ff1c183caf9fd2d85a6d09
• Exploiter Transaction: 0xa2Ebf3FCD757e9BE1E58B643b6B5077D11b4ad7A
• In one of the transactions 0xbfa823cb6f2b6088c7db903ad777d4b3b8612c820b1f233282b741fd0f23a6c6, the hacker sold 280 tickets at 0.4 AVAX each.

The first public post about the hack was made by Avascan on their Twitter page, bringing the issue to light and sparking discussions within the community.

Shortly after the hack was discovered, PeckShield, a blockchain security firm, also shared insights about the incident, further drawing attention to the vulnerability and its implications.

The total amount exploited was 2014.068 AVAX, and it was advised that this amount should be sent back to the StarArena contract to restore its solvency. The gas cost for this transaction amounted to 1527.545330934088.

Interestingly, the first attack was said to be executable even by a non-developer as it exploited a vulnerability that was accessible at the frontend level, showcasing the extent of the vulnerability.

The Second Attack: 266k AVAX drained

In the days following the initial exploit, the same hacker managed to find another vulnerability and executed a second attack.

The exploit was attempted again on October 7, 2023, but this time it led to almost $3 million in AVAX tokens being drained from the platform, almost emptying it with the total value locked plummeting to $0.051.

• Hack Transaction: 0x4f37ffecdad598f53b8d5a2d9df98e3c00fbda4328585eb9947a412b5fe17ac5

Check Hack TX on Avascan → https://avascan.info/blockchain/c/tx/0x4f37ffecdad598f53b8d5a2d9df98e3c00fbda4328585eb9947a412b5fe17ac5

This time, the hacker utilized a reentrancy attack, a well-known vector in the blockchain space, especially for contracts written in Solidity.

A re-entrance issue is a pernicious smart contract vulnerability that has haunted the blockchain space for years, with the infamous 2016 DAO hack being a glaring example. In the Stars Arena scenario, this bug was once again at the helm.

A re-entrance issue arises when an external contract is able to call back into the calling contract before the first call is completed, leading to unexpected behaviors such as the draining of funds, as witnessed in the Stars Arena hack. The hackers managed to re-enter the smart contract, manipulate ticket prices, and siphon off a significant amount of AVAX tokens.

In Solidity, there’s a fallback function that gets called every time AVAX is sent to a contract. The hacker deployed a contract that bought shares of itself, triggering the sendToSubject(sharesSubject, subjectFee); function within the buyShares method. This action sent AVAX to the contract, and the fallback function in turn called setCurveParameters. This function call was not supposed to succeed, yet due to a logic error, it did. The line require(shareholders[msg.sender].length == 0, "Can't change weights after shares have been issued"); was supposed to be triggered, preventing the action, but it wasn't because buyShares updated the shareholders after sending the funds to the subject. By modifying the weights, the hacker then sold immediately afterward, reaping a profit.

The transaction detailing the exploit can be viewed here. It shows a transfer of 266103.97278 AVAX from address 0xdD9aFc0e3C43951659c8ebe7aEf9ee40879863EA to Stars Arena Exploit Deployer. The funds were later moved to address 0xa2Ebf3FCD757e9BE1E58B643b6B5077D11b4ad7A.

This second attack further emphasizes the critical importance of employing well-tested libraries and following best practices in smart contract development to mitigate the risks associated with known vulnerabilities like reentrancy attacks.

Stars Arena’s Swift Response

Following the attack, Stars Arena took steps to address the situation. They managed to recover 90% of the drained funds after reaching an agreement with the hacker, offering the hacker a 10% bounty. This move aligns with a growing practice in the crypto space to incentivize ethical hacking and vulnerability disclosure.

Stars Arena informed the community about the breach through tweets, advising users not to deposit any funds while they were addressing the issue. They later announced the recovery of a significant portion of the funds, aiming to reassure the community about the platform’s security.

In addition, Stars Arena disclosed collaborations with Paladin Blockchain Security, a blockchain security solutions provider, and Locrian and his team, to enhance the platform’s security infrastructure as recommended by certain community leaders. These collaborations are presented as part of their efforts towards improving security and fostering sustainable growth, with further updates to come.

https://x.com/starsarenacom/status/1710991482738332002?s=20

Onchain Messages

A series of on-chain messages chronologically posted provides an insightful narrative into the unfolding scenario and the community’s response:

1. The first message seems to initiate a discourse around the incident, possibly highlighting early observations or reactions.
2. Following that, a second message from an user who ask to have his fund back!
3. The third message is from the exploiter and tell that he would to cooperate.
4. With the fourth message, Stars Arena’s team asks the exploiter to continue the discussion via email to make arrangements.
5. In the fifth message the exploiter responds to the team asking to continue the dialogue onchain or on blockscanchat.
6. Through the sixth message, the dialogue between Exploiter and the Stars Arena team definitely moves to blockscanchat.
7. In the seventh message dialogue continues onchain because there seems to be some problem on blockscanchat due to active antispam by the exploit

A final tweet from Jack, COO of Avascan, confirm that the funds are finally back!

Check Funds Back TX on Avascan → https://avascan.info/blockchain/c/tx/0x6cd04b5394c47238f02dc556a191f0ab0a09cdf4ff8b97b6bfc4d65babcde988

Lessons and Takeaways: Advancing Towards Secure Smart Contracts

The Stars Arena incident underscores the critical importance of robust smart contract security, especially in emerging platforms managing significant assets. It also demonstrates the potential for recovery and community engagement in resolving such challenges.

Given that the hack in question was based on a well-known vulnerability, it clearly emerges that one of the first best practices in the DeFi field is to utilize established libraries rather than attempting to reinvent the wheel. These libraries, being used by a wide range of people, have been tested and refined over time, unlike a custom library which, being used only by the developer who created it, can easily conceal yet-to-be-identified errors. In the absence of broad and collective validation, the risk of falling victim to hacks, as highlighted by the Stars Arena case, remains significantly high.