Stars Arena Recovers 90% of Exploited Funds After On-chain Negotiations

Social media app Stars Arena has announced that it has recovered approximately 90% of the funds it lost after being exploited. The recovery came after four days of on-chain negotiations, according to blockchain data. As part of the agreement, the attacker was allowed to keep slightly more than 10% of the funds as a "white hat" bounty.

The Details

Stars Arena is a social media app on Avalanche that allows users to buy "shares" of their favorite content creators in exchange for exclusive content and perks. It was recently exploited on October 5, with conflicting reports on the amount of funds lost. While a user claimed that over $1 million was lost, the app's developers stated that only around $2,000 worth of crypto was lost. The team quickly patched the exploit and relaunched with new code on the same day.

On October 7, the team sent an on-chain message to the attacker, offering a 5% white hat bonus if the funds were returned by October 10. The team also warned that legal action would be taken if the funds weren't returned. The attacker did not respond directly to this message but expressed a desire to cooperate on October 11.

Subsequent on-chain messages were exchanged between the team and the attacker. At one point, the team requested the attacker to respond using the Blockscan chat app, but the attacker claimed that the team's antispam filter prevented them from receiving messages through Blockscan.

Ultimately, a final message was sent to the attacker, offering a 10% bounty. The attacker agreed, and at 7:43 pm UTC, the team announced on Twitter that 90% of the stolen funds had been returned, minus 1,000 Avalanche (AVAX) tokens lost in a cross-chain bridge. This amounts to approximately $2.2 million recovered out of the $2.4 million originally drained from the app.

Bug Bounty Programs and Security

Exploits like these highlight the need for more robust bug bounty programs with better payouts. Critics argue that offering higher rewards for legitimate bug submissions could discourage hackers from attacking protocols and instead incentivize them to participate in bounty programs. In an effort to increase transparency and attract more hackers to legitimate bounty programs, blockchain security platform Immunefi launched a 'vaults' bug-bounty program in September.

Stars Arena's recovery of 90% of the exploited funds showcases the importance of on-chain negotiations and efforts to retrieve stolen assets in the crypto space.