Social media app Stars Arena recently announced that it has recovered around 90% of the funds it lost due to an exploit. The recovery was made after four days of on-chain negotiations, as observed from blockchain data. However, the attacker was allowed to retain slightly more than 10% of the funds as a “white hat” bounty.
Stars Arena is a social media app that operates on the Avalanche network, enabling users to purchase “shares” of their favorite content creators in exchange for exclusive content and other benefits. It is often compared to Friend.tech, a similar app running on the Base network.
On October 5, Stars Arena fell victim to exploitation. A user named Lilitch.eth claimed that over $1 million was lost in the attack, while Stars Arena’s developers stated that only around $2,000 worth of crypto was lost. The app’s smart contract was upgradeable, and the team acted quickly to patch the exploit, relaunching the app with new code on the same day.
In response to the attack, on October 7, the official Stars Arena team sent an on-chain message to the attacker, requesting the return of the funds. The message offered a white hat bonus of 5% and threatened legal action if the funds were not returned by October 10. The attacker did not directly respond to this message, but on October 11, they expressed willingness to cooperate.
A series of on-chain messages ensued between the team and the attacker. At one point, the team asked the attacker to use the Blockscan chat app, but the attacker informed them that their antispam filter prevented them from receiving messages through Blockscan.
Eventually, at 07:21 pm UTC, the team sent a final message to the attacker, stating that they had agreed to a 10% bounty and acknowledging it as a white hat operation. At 7:43 pm UTC, the team announced on Twitter that the attacker had returned 90% of the stolen funds, excluding 1,000 AVAX tokens lost in a cross-chain bridge. This amounted to 239,493 AVAX, equivalent to approximately $2.2 million.
The recovery of such a significant portion of the stolen funds is positive news for Stars Arena and its users. Exploitations in the decentralized finance space often result in funds being drained, with attackers willing to return most of the funds in exchange for avoiding prosecution. Critics argue that robust bug bounty programs with better payouts could potentially deter hackers from attacking protocols in the first place.
In September, blockchain security platform Immunefi launched a “vaults” bug bounty program to increase transparency and encourage hackers to engage in legitimate bounty programs rather than resorting to illicit attacks.
Overall, the recovery of 90% of the funds lost by Stars Arena demonstrates the importance of addressing security vulnerabilities promptly and engaging in negotiations with attackers to mitigate the damage caused by exploits. By creating stronger bug bounty programs and incentivizing ethical hacking, platforms like Stars Arena can enhance their security and protect their users’ investments.
Source link