Stars Arena recovers 90% of exploited funds after onchain negotiations

Social media app Stars Arena has back to normal According to an announcement posted by the team on X (formerly Twitter) on October 11, approximately 90% of the funds were lost after being exploited. Blockchain data shows the recovery occurred after four days of on-chain negotiations. Attackers are allowed to keep just over 10% of the funds as “white hat” bounties.

StarsArena is a social media application on Avalanche that allows users to purchase “stakes” in their favorite content creators in exchange for exclusive content and other benefits. It is often compared to Friend.tech, a similar application that runs on the Base network.

Stars Arena was exploited on October 5th. X user Lilitch.eth claimed to have lost over $1 million in the attack, while the app’s developers claimed to have only lost around $2,000 worth of cryptocurrency. The exploited smart contract was upgradeable, and the team fixed the vulnerability and relaunched it with new code on the day of the attack.

October 7, address 0x96cefd23b3691d8cead413f2ec882e445fd0801e transmit Send an on-chain message to the attacker stating “Please return funds to contract address 0xA481B139a1A654cA19d2074F174f17D7534e8CeC and we will provide you with a 5% white hat bonus. The offer is valid until October 10th. If you don’t send it, we will have to Take legal action against you.”

The address listed in the body of the email is the official Stars Arena: Shares contract, which seems to imply that the email was sent by the team. The attacker did not reply directly to this message.Instead, on October 11, they transmit Reply to another address and state “I am willing to cooperate.”

News from Stars Arena developers, October 11. Source: SnowTrace.

From this point on, a series of on-chain messages occurred between the team and the attacker.At one point, the team asked the attacker to respond using the Blockscan chat app, but the attacker Replied The team has turned on the anti-spam filter and cannot receive messages through Blockscan.

07:21 PM UTC, Team transmit A final message to the attacker. “We have agreed to a 10 percent bounty,” they said. “The other half will be sent, thereby acknowledging that this was a white hat operation.”

At 7:43 PM UTC, the team announced on Twitter that the attackers had returned 90% of the stolen funds, minus the 1,000 Avalanche (AVAX) tokens that were lost in the cross-chain bridge. According to the team’s post, 266,104 AVAX (approximately $2.4 million at today’s prices) were initially drained from the app, but 239,493 AVAX (approximately $2.2 million) were later recovered. This means that more than 89.9% of the stolen funds have been recovered.

related: The report pointed out that the third quarter of 2023 was the most “severe” quarter for cryptocurrency losses, with losses reaching US$700 million.

Exploiters often siphon funds from decentralized finance protocols and then return most of the funds in exchange for not being sued. Critics claim these attacks could have been avoided if the protocol had a stronger bug bounty program and better payouts, as they say this could induce hackers to submit legitimate bounties instead of attacking the protocol. In September this year, blockchain security platform Immunefi launched a “vaults” bug bounty program to increase transparency, hoping that the program would attract more hackers to participate in legitimate bounty programs and stay away from illegal attacks.