Stars Arena drained of $2.9 million in AVAX tokens, funds in user wallets are safe

Avalanche AVAX +5.14% -based social token platform Stars Arena has been exploited for all the funds locked in its smart contract. 

The size of the exploit was roughly $2.9 million, according to security analysts PeckShield. The amount of value locked in the project’s smart contract has fallen to $0.47, according to DefiLlama.

“There has been a major security breach with the smart contract. We're actively checking the issue. DO NOT deposit any funds,” said Stars Arena on X.

The vulnerability was caused by a reentrancy issue, PeckShield said, which allowed attackers to sell tickets for much more than they were worth, up to $2,740 each.

The app’s users are still able to withdraw tokens they have in their wallets on the app but will not receive any value if they sell tickets — which represent access to other people’s chat groups — that they own.

What is Stars Arena?

Stars Arena is a version of FriendTech, an app that lets you buy tokens that give access to an individual’s chat room. The tokens are typically priced on a bonding curve, so they get increasingly more expensive as more people buy the tokens. Fees are also quite high on these types of apps, with FriendTech charging 10% in fees on every transaction, split between the app and the group’s owner.

Stars Arena was recently hit by a much smaller vulnerability that enabled anyone to drain Avax coins from the project's smart contract. However, the bug was difficult to exploit because it wasn’t profitable when transaction fees were high and few funds were lost before it was fixed.

At the time, Ava Labs CEO Emin Gun Sirer described reports on the issue as “FUD” — effectively meaning unwarranted criticism — and said it was time to get back to having fun in the arena. Stars Arena also did a long post on X claiming it was being targeted by malicious actors in “coordinated FUD” and promised that “We will fight, we will survive, we will win.”