Friend.tech copycat Stars Arena patches exploit after some funds drained
Stars Arena announced that attackers were draining funds through a loophole, but the contract has been patched to prevent further damage.
The Stars Arena Web3 social media app on Avalanche has lost some of its funds due to a malicious attack, according to social media reports.
Stars Arena user Lilitch.eth discovered the exploit on Oct. 5 and announced it on X (formerly Twitter), claiming that over $1 million was lost. The Stars Arena team confirmed the attack, calling it a “war” against the app. They said the attack only resulted in approximately $2,000 in losses and that the exploit had been patched.
THE EXPLOIT HAS BEEN FIXED.
BUT DON’T GET THIS WRONG WE ARE AT WAR.
We’re being targeted by malicious actors in the space that want to steal your money.
The little guy is under attack.
You are under attack.
Your right to platform diversity is under attack.
Don’t get it… pic.twitter.com/DmbMdf9cAq
— Stars Arena (@starsarenacom) October 5, 2023
Similar to Friend.tech, Stars Arena allows users to buy “shares,” tokenized assets issued by content creators. The issuers can grant token owners access to exclusive content or other perks. Avalanche has seen a surge of activity since Stars Arena was launched, with the network’s daily transaction count increasing by over 186% from Oct. 3 to 4.
On Oct. 5, Lilitch.eth declared on X that “1.1 million dollars are being drained right now because of noob devs who couldn’t make a copy of Friend.tech that will work properly. If you hold ANY SHARES in StarsArena you should sell while you still can.” In the post, they showed a screenshot of a smart contract that contained approximately 107,329 AVAX (AVAX), worth over $1 million at the time.
@starsarenacom, you fucked up
1.1 million dollars are being drained right now because of noob devs who couldn’t make a copy of https://t.co/h7traLwG9i that will work properly
If you hold ANY SHARES in StarsArena you should sell while you still can
read next⬇️ pic.twitter.com/HzgXvJc8ju
— lilitch.eth (@0xlilitch) October 5, 2023
In response, some users accused Lilitch.eth of “fudding” (spreading fear, uncertainty and doubt). For example, ZSwap developer Mork claimed that “no exploiter can profit from this because the gas to run the tx is higher than the Avax extracted” and that “they are proxy contracts – able to be updated.”
Related: Friend.tech revenue surges over 10,000 ETH, TVL tops 30,000 ETH
The Stars Arena team responded with a post on X stating that “THE EXPLOIT HAS BEEN FIXED.” It claimed that attackers had been spending $5 in gas to drain $1 from the app in an attempt to destroy its credibility with “coordinated FUD.” The team held a Twitter Spaces event to explain to users what was happening, during which it stated that only around $2,000 had been lost in the attack.
Responding to the team’s post, Lilitch.eth denied that attackers had been spending $5 in gas to drain $1. “Nobody was spending 5$ to get 1$ from your TVL, chill,” they stated, claiming instead that attackers stopped whenever gas prices became too high to make the attack profitable. Lilitch.eth also denied waging “war” against the app. In another post, they claimed to support the app now that it has been patched, stating, “The conflict was resolved, we are friend now. @starsarena to the moon.”
Friend.tech users have been facing a wave of SIM-swap attacks, leaving its users and those of similar apps on edge. On Oct. 5, the Friend.tech team implemented a function to remove login methods to help combat the problem.