StarsArena Web3 App on Avalanche Exploited, Funds Drained in Malicious Attack

The Attack

A recent social media report on October 5 revealed that the StarsArena Web3 app on Avalanche had fallen victim to a malicious attack, resulting in a loss of funds. Lilitch.eth, a user of the app, uncovered the exploit and shared the news on X (formerly known as Twitter), claiming that over $1 million had been lost. The StarsArena team confirmed the attack but stated that only around $2,000 in losses had occurred. They quickly patched the exploit to secure the platform.

StarsArena: A Web3 Social Media App

StarsArena operates as a Web3 social media app on the Avalanche network. Similar to Friend.tech, the platform allows users to purchase tokenized assets or "shares" issued by content creators. Token owners gain exclusive access to content and other perks. Since the launch of StarsArena, the Avalanche network has experienced a significant increase in daily transaction count, rising by over 186% from October 3-4.

The Exploit Unveiled

In the early morning of October 5, Lilitch.eth shared alarming news on X, stating that StarsArena was being drained of funds. They criticized the developers, accusing them of creating an ineffective copy of Friend.tech. Lilitch.eth advised users to sell their shares immediately if they held any in StarsArena. They provided an image of a contract address, 0xA481B139a1A654cA19d2074F174f17D7534e8CeC, containing approximately 107,329 Avalanche (AVAX) tokens with a value exceeding $1 million at the time.

Accusations and Response

Some users, including ZSwapDEX developer Mork, accused Lilitch.eth of spreading fear, uncertainty, and doubt (FUD). Mork argued that the exploit wouldn't be profitable due to high gas fees and the ability to update proxy contracts. In response, the StarsArena team issued a statement on X, assuring users that the exploit had been fixed. They claimed that attackers were attempting to tarnish the app's reputation by spending $5 in gas to drain $1. The team organized a Twitter Spaces event to explain the situation, revealing that the total loss from the attack amounted to approximately $2,000.

Denials and a Resolved Conflict

Lilitch.eth denied the claim that attackers were spending $5 to drain $1, asserting that they would stop when gas prices became too high for the attack to be profitable. They also denied waging "war" against the app. In a subsequent post, Lilitch.eth announced their support for StarsArena after the exploit had been patched, expressing solidarity by stating "the conflict was resolved, we are friends now @starsarena to the moon."

Crisis in the Web3 Space

The incident with StarsArena adds to the growing concerns surrounding security in the Web3 space. Friend.tech and similar apps have recently faced an influx of SIM-swap attacks, leaving users on edge. In response, the Friend.tech team took measures to mitigate the problem by implementing a function to remove login methods.