In October 2023, the Stars Arena social token platform was the victim of a hack. The attackers exploited a reentrancy vulnerability in the project’s smart contract to steal an estimated $2.9 million in $AVAX from the protocol.
Inside the Attack
Stars Arena is a blockchain-based social token platform. On the platform, creators can sell tickets to private chat rooms that allow purchasers greater access to those creators and the potential for exclusive rewards and opportunities.
The Stars Arena hack is attributed to a reentrancy vulnerability in the project’s contracts. A reentrancy vulnerability can exist if a smart contract sends Ether to another contract and doesn’t perform state updates before that transfer. Withdrawal functions are a common location for reentrancy vulnerabilities because the attacker can call the function and receive the withdrawn funds before the contract updates the user’s balance to reflect the withdrawal. If this withdrawal is to a smart contract, the attacker can call the vulnerable function again (“reentering it”) before the withdrawal is debited from their account.
In the case of Stars Arena, the reentrancy vulnerability existed in the code that managed ”shares” to users. In theory, these shares should be sold at a certain amount. Due to the reentrancy vulnerability in the contract’s code, the attackers were able to inflate the weight associated with a share, thereby increasing the value of that share. As a result, they were able to increase the price of a share to approximately $274K.
Exploiting this vulnerability enabled the attackers to drain value from the smart contract. In total, they were able to steal an estimated $2.9 million from the project.
After the attack was discovered, the Stars Arena team acknowledged the issue and froze the platform to begin repairs. During this process, the project’s website also suffered a distributed denial-of-service (DDoS) attack that inhibited its ability to communicate with its users.
Lessons Learned from the Attack
Reentrancy vulnerabilities are some of the most well-known vulnerabilities on the Ethereum platform. The DAO hack is a famous example of an early reentrancy exploit, and numerous projects have fallen victim to similar attacks since.
Reentrancy vulnerabilities can be eliminated via design best practices, such as the check-effect-interaction pattern. Ethereum also offers reentrancy guard defenses against these types of attacks.
Reentrancy is not a novel vulnerability, and smart contract audits can help to detect and remediate these vulnerabilities. To learn more about protecting your project against reentrancy and similar threats, get in touch.