Stars Arena social media app contains Recover Nearly 90% of the money was lost after being exploited, according to an October 11 announcement from Team X (formerly Twitter). The recovery occurred after four days of cross-chain negotiations, blockchain data shows. The attacker was allowed to keep just over 10% of the funds as a “white hat” bounty.
We have recovered approximately 90% of the lost funds.
We have reached an agreement with the person responsible for the recent security breach.
Money returned for a 10% bonus fee + 1000 AVAX that was lost in a bridge.
Total money lost:…
– Stars Arena (@starsarenacom) October 11, 2023
StarsArena is a social media app on Avalanche that allows users to purchase “shares” of their favorite creators in exchange for exclusive content and other perks. It is often compared to Friend.tech, a similar app that runs on the backbone.
Stars Arena tapped on October 5. X user Lilitch.eth claimed that more than $1 million was lost in the attack, while the app developers claimed that only about $2,000 worth of cryptocurrencies were lost. The exploited smart contract was upgradable, and the team patched the vulnerability and relaunched it with new code on the day of the attack.
On October 7, address 0x96cefd23b3691d8cead413f2ec882e445fd0801e sender An onchain message to the attacker, stating “Please return the funds to contract address 0xA481B139a1A654cA19d2074F174f17D7534e8CeC, we will give you a 5% white box bonus for doing so. The offer is valid until October 10th, only if you don’t send, we will have to take legal action” against you.
The address listed in the text of the message is the official Stars Arena: Shares contract, which seems to imply that the message was sent by the team. The attacker did not respond directly to this message. Instead, on October 11 sender Reply to a different address stating “I would like to cooperate.”
A series of onchain messages occurred between the team and the attacker from this point on. At some point, the team asked the attacker to respond using the Blockscan chat app, but the attacker… He replied That the team had turned on its anti-spam filter and was unable to receive messages through Blockscan.
07:21 PM UTC, Team sender A final message to the attacker. “We agreed to a 10% bonus,” they said. “The other half will be sent, thus acknowledging that this is a whitewash.”
At 7:43 PM UTC, the team announced on Twitter that the attacker had returned 90% of the stolen funds minus the 1,000 Avalanche (AVAX) tokens that were lost in a cross-chain bridge. According to the team’s post, 266,104 AVAX (about $2.4 million in today’s dollars) were originally withdrawn from the app, but 239,493 AVAX (about $2.2 million) were recovered. This means that more than 89.9% of the stolen funds have been recovered.
Related: Q3 2023 crowned ‘most damaging’ quarter for cryptocurrencies amid $700M losses: report
Scalpers often drain funds from DeFi protocols, then return most of the funds in exchange for an agreement not to prosecute. Critics claim that these attacks could be avoided if protocols had more robust software to reward bugs with better payouts, as they say this could tempt hackers to offer legitimate bounties instead of attacking protocols. In September, blockchain security platform Immunefi launched a bug bounty “vaults” program in an effort to increase transparency, which it hopes will attract more hackers to legitimate bounty programs and away from illicit attacks.