Stars Arena faces vulnerability that can potentially let users drain funds

Update: The vulnerability has been addressed and resolved by Stars Arena, the team announced on X.

Avalanche-based social protocol Stars Arena was reportedly exposed to a critical vulnerability that could enable anyone to drain Avax coins from the project's smart contract.

This security vulnerability threatened over $1 million of the value locked in its smart contract. The funds in the contract could be drained due to a faulty getPrice() function, which let hackers to call the contract and transfer small amount of funds to their wallets, as first noted by an analyst named lilitch.eth on X. The Block Research was able to confirm the vulnerability.

Despite the existence of this vulnerability, the high transaction fees on the network served as a deterrent for malicious hackers, as they needed to invoke the contract multiple times to drain the funds. Consequently, attempting to extract funds from the protocol appeared to not be profitable.

The estimated outflow of funds during the incident was $2000, according to Avalanche co-founder Emin Gün Sirer.

Monetized social media apps

Introduced in September, Stars Arena is a social protocol inspired by FriendTech. Within merely two weeks of its launch, the TVL of Stars Arena surpassed $1 million, leading to a significant surge in on-chain transactions on the Avalanche network.

Stars Arena enables users to connect their Twitter accounts, facilitating the purchase or sale of profile tokens of other users with Avalanche’s native currency, AVAX. The app automatically creates a wallet for users, enabling them to deposit Avax and start using the service.

This story has been updated with additional information.