- Unique bounty deal leads to the return of exploited assets.
- Accountability is possible despite the pseudonymity of hackers.
- A negotiated agreement provides an exciting compromise mod
Social media startup Stars Arena has managed to recover approximately 90% of the cryptocurrency stolen in a security exploit last week, an impressive turnaround enabled by an unusual agreement with the hacker responsible.
The Avalanche-based company confirmed that after extensive negotiations, they reached a deal for the hacker to return most of the exploited funds in exchange for a 10% bounty payment. This demonstrates that even in the largely pseudonymous world of crypto, accountability is possible when compromised platforms get creative.
Exploit drains millions from Stars Arena contract.
The exploit occurred on October 7th, draining 266,104 AVAX worth around $2.9 million from Stars Arena’s smart contract and instantly reducing the value locked in the app to zero.
Stars Arena quickly attributed the massive breach to a reentrancy vulnerability in their code, allowing attackers to sell inflated-priced profile tokens granting chat room access. They warned users against depositing additional funds until the issue could be addressed.
According to Stars Arena, the hacker has returned 239,493 AVAX across two transactions, representing nearly 90% of the stolen amount. Per their agreement, the hacker received 27,610 AVAX (approximately $250,000) as a 10% bounty for most of the funds returned. The prize also included 1,000 AVAX as compensation for the hacker’s losses using a bridge.
Novel agreement and audit offer a path forward.
Stars Arena operates as a fork of the FriendTech app, facilitating the buying and selling influencer tokens that provide access to individual chat rooms. With transaction fees at a steep 10%, the model relies on trust in smart contract security.
The company indicated that they have written a new smart contract along with the returned funds and are finalizing a comprehensive audit before reinstating and relaunching the platform. They claimed to have quickly patched a smaller $2,000 exploit on October 5th.
While the recent exploits highlight vulnerabilities in the fast-evolving web3 social media space, Stars Arena’s ability to recover most of the exploited funds through a negotiated agreement shows the potential for accountability. The pseudonymity of many cybercriminals often makes legal remedies difficult for compromised platforms.
Their bounty agreement with the hacker represents an exciting model for non-legal resolution. By enticing the perpetrator with a share of the funds, Stars Arena could rapidly recover assets to restart its operations. At the same time, the hacker avoided potential prosecution and still profited.