U.Today - A SocialFi protocol on Avalanche (AVAX) is targeted by the second attack in three consecutive days. It seems that the same malefactors might be exploiting a well-known vulnerability, while some commentators accuse the team of an insider job.
Stars Arena attacked yet again, here's how
Stars Arena, an overhyped SocialFi protocol on the Avalanche (AVAX) blockchain, was attacked today, Oct. 7, 2023, at about 6 a.m. UTC. The aggregated losses of its liquidity ecosystem might exceed 274,000 AVAX or almost $2.9 million in equivalent, сryptocurrency security researchers PeckShield said on X.The team of Stars Arena confirmed the fact of the "vulnerability" and asked all its users and Avalanche (AVAX) enthusiasts to avoid depositing money as an investigation is underway:
The "reentrancy bug" was abused by the attacker to maliciously adjust the price that has to be paid for one "share," a kind of in-app currency. The attackers made it possible to buy a share and then sell it at a dramatically increased price.
It should also be noted that two days ago, soon after its launch, the Avalanche-based SocialFi was already exploited for over $1 million. As by U.Today previously, the attackers were able to redeem zero shares for "real" AVAX payouts.
Both Avalanche (AVAX) key figureheads and Stars Arena team representatives stressed that thanks to gas inefficiency, the attack was not so dangerous.
Community enraged: "Reentrancy attack in 2023?"
However, as it happened amid the "SocialFi frenzy" triggered by Friend.tech's success, the Stars Arena drama caused much stir in the Web3 community.Many commentators on X highlighted that "reentrancy" attacks are well-known malicious practices previously used for price manipulations in DeFi:
Also, some other speakers are accusing the team of an insider job as "vulnerable" elements of the contract seem to them.
In 2022, this attack design resulted in $80 million lost after the Rari/Fei exploit, as U.Today . Also, the infamous 2016 DAO hack used this method to drain Ethereum (ETH) funds.