Social media app Stars Arena has recovered approximately 90% of the funds it lost after being exploited, according to an October 11 announcement from the team on X (formerly Twitter). The recovery occurred after four days of on-chain negotiations, blockchain data shows. The attacker was allowed to keep slightly more than 10% of the funds as a “white hat” bounty.
We have recovered approximately 90% of the lost funds.
We reached an agreement with the individual responsible for the recent security breach.
The funds have been returned in exchange for a 10% bounty fee + 1000 AVAX that was lost in a bridge.
Total funds lost:…
— Stars Arena (@starsarenacom) October 11, 2023
StarsArena is a social media app on Avalanche that allows users to buy “shares” of their favorite content creators in exchange for exclusive content and other perks. It is often compared to Friend.tech, a similar app that runs on Base network.
Stars Arena was exploited on October 5. X user Lilitch.eth claimed that over $1 million was lost in the attack, while the developers of the app claimed that only around $2,000 worth of crypto was lost. The exploited smart contract was upgradeable, and the team patched the exploit and relaunched with new code on the day of the attack.
On October 7, address 0x96cefd23b3691d8cead413f2ec882e445fd0801e sent an onchain message to the attacker, stating “please return the funds to the contract address 0xA481B139a1A654cA19d2074F174f17D7534e8CeC we will give you 5% white hat bonus for doing that offer is valid until oct 10 only if you don’t send we will have to take legal action against you.”
The address listed in the body of the message is the official Stars Arena: Shares contract, which seems to imply that the message was sent by the team. The attacker did not respond directly to this message. Instead, on October 11, they sent a reply to a different address, stating “I would like to cooperate.”
A series of onchain messages occurred between the team and the attacker from this point forward. At one point, the team asked the attacker to respond using the Blockscan chat app, but the attacker replied that the team had their antispam filter on and could not receive messages through Blockscan.
At 07:21 pm UTC, the team sent a final message to the attacker. “We have agreed for a 10% bounty,” they stated. “The other half shall be sent, thus acknowledging this is a whitehat operation.”
At 7:43 pm UTC, the team announced on Twitter that the attacker had returned 90% of the stolen funds minus 1,000 Avalanche (AVAX) tokens that had been lost in a cross-chain bridge. According to the team’s post, 266,104 AVAX (approximately $2.4 million at today’s price) was originally drained from the app, but 239,493 AVAX (approximately $2.2 million) was recovered. This implies that more than 89.9% of stolen funds were recovered.
Exploiters often drain funds from decentralized finance protocols, then return most of the funds in exchange for an agreement not to be prosecuted. Critics claim that these attacks could be avoided if protocols had more robust bug bounty programs with better payouts, as they say this could entice hackers into submitting legitimate bounties instead of attacking protocols. In September, blockchain security platform Immunefi launched a ‘vaults’ bug-bounty program in an effort to increase transparency, which it hopes will attract more hackers to legitimate bounty programs and away from illicit attacks.