Stars Arena, a Web3 social media platform, has successfully recovered nearly all the cryptocurrency stolen during an exploit that occurred on October 7. The platform announced on October 11 that it had regained approximately 90% of the 266,000 Avalanche tokens (AVAX) that were stolen, valued at roughly $3 million at the time of the attack. To recover the funds, Stars Arena agreed to provide the exploiter with a 27,610-AVAX bounty, equivalent to nearly $257,000, as part of the settlement.
The bounty offered also included compensation for 1,000 AVAX, valued at over $9,000, which appeared to have been lost in the bridge by the exploiter. Stars Arena revealed that it had created a new smart contract and was in the process of reviewing it before returning the funds and resuming operations.
The vulnerability leading to the exploit was first identified by Stars Arena on October 7, which was described as a "significant security vulnerability" resulting in the unauthorized draining of funds through its smart contract. In response to the incident, Stars Arena secured funding to address the security hole created by the exploit. They also engaged a development team to conduct a comprehensive security audit, although the specific details of how the exploit occurred were not disclosed.
Prior to the larger attack on October 7, Stars Arena experienced a smaller breach on October 5. However, in the earlier attack, the hackers were only able to abscond with around $2,000. The primary vulnerability that led to the attack was attributed to the absence of a secure price function in the platform's smart contract, which enabled attackers to sell user shares at no cost and receive AVAX tokens in return. The platform has since claimed to have patched this vulnerability.
It's worth noting that users of Stars Arena's main competitor, Friend.tech, have also reported targeted SIM swap attacks. Friend.tech has recently introduced additional security features to mitigate these types of attacks.
