Stars-Arena-Exploit.md

Stars Arena

• Amount Lost: $2,974,530.00
• Funds Returned: $2,677,077.00
• Category: Other
• Date: 2023-10-7

Quick Summary

Stars Arena, an Avalanche-based project, was exploited through a reentrancy attack, leading to a loss of 2,974,530 USD worth 266,102 AVAX.

Details of the Exploit

Stars Arena is a social platform on the Avalanche chain. On October 7, 2023, the platform suffered a reentrancy attack. The attacker drained funds from the Stars Arena contract, amounting to 2,974,530 USD (266,102 AVAX). The Attacker created a contract that distributed the stolen funds to many addresses, sending 1,000 AVAX each. During the call of the 0xe9ccf3a3 function, the attacker reentered and called the 0x5632b2e4 function, setting a block height. This height was then used as a parameter in the sellShares function, resulting in an abnormally large calculated amount of AVAX to send.

Block Data Reference

Attacker Address:

https://cchain.explorer.avax.network/address/0xa2ebf3fcd757e9be1e58b643b6b5077d11b4ad7a

Malicious Transaction:

https://cchain.explorer.avax.network/tx/0x4f37ffecdad598f53b8d5a2d9df98e3c00fbda4328585eb9947a412b5fe17ac5

Malicious Contract:

https://cchain.explorer.avax.network/address/0x7f283edc5ec7163de234e6a97fdfb16ff2d2c7ac

Funds Distribution Transactions:

https://snowtrace.io/tx/0x8f5b2e8869260d6854ce4c93f58dfcbf6e8fb18b96c3e76db1eeb6dce0ef9fb1

Some of the Stolen Funds Holders:

https://cchain.explorer.avax.network/address/0x9b5ec83e5b9f124056596b7e9cbc08db622d418d

https://cchain.explorer.avax.network/address/0xded436c23e42312f866675b4980d0b1633c56b3e

Proof Links:

• https://twitter.com/BeosinAlert/status/1710543860848603582