Stars Arena retrieves 90% of misappropriated funds following on-chain discussions.

According to an announcement from the Stars Arena team on X (formerly Twitter) dated October 11, the social media application has successfully retrieved around 90% of the funds it lost following an exploit. This recovery was achieved after four days of negotiations on the blockchain, as indicated by blockchain data. The perpetrator retained just over 10% of the funds as a “white hat” reward.

UPDATE:
We have successfully recovered approximately 90% of the lost funds.
We reached an agreement with the individual who was responsible for the recent security incident.
The funds have been returned in exchange for a 10% bounty fee plus 1000 AVAX that was lost during a bridge transaction.
Total funds lost:…

— Stars Arena (@starsarenacom) October 11, 2023

Stars Arena is a social media platform built on Avalanche that enables users to purchase “shares” of their preferred content creators in return for exclusive content and various benefits. It is frequently likened to Friend.tech, a comparable application operating on the Base network.

The exploit of Stars Arena occurred on October 5. An X user named Lilitch.eth asserted that the attack resulted in a loss exceeding $1 million, while the app’s developers contended that only about $2,000 worth of cryptocurrency was lost. The smart contract that was exploited was upgradeable, and the team addressed the exploit and redeployed with new code on the same day as the attack.

On October 7, the address 0x96cefd23b3691d8cead413f2ec882e445fd0801e sent an on-chain message to the attacker, stating, “please return the funds to the contract address 0xA481B139a1A654cA19d2074F174f17D7534e8CeC; we will provide you with a 5% white hat bonus for doing so. This offer is valid until October 10. If you do not comply, we will have to pursue legal action against you.”

The address mentioned in the message is the official Stars Arena: Shares contract, suggesting that the communication was initiated by the team. The attacker did not reply directly to this message. Instead, on October 11, they responded to a different address, indicating, “I would like to cooperate.”

Message from Stars Arena exploiter, October 11. Source: SnowTrace.

A series of on-chain communications took place between the team and the attacker following this. At one point, the team requested the attacker to respond via the Blockscan chat application, but the attacker replied that the team had their antispam filter activated and could not receive messages through Blockscan.

At 07:21 pm UTC, the team sent a concluding message to the attacker, stating, “We have agreed on a 10% bounty.” They added, “The remaining amount shall be sent, thus confirming this is a white hat operation.”

At 7:43 pm UTC, the team announced on Twitter that the attacker had returned 90% of the stolen funds, excluding 1,000 Avalanche (AVAX) tokens that were lost in a cross-chain bridge. According to the team’s update, 266,104 AVAX (approximately $2.4 million at the current price) was initially drained from the application, but 239,493 AVAX (approximately $2.2 million) was recovered. This indicates that over 89.9% of the stolen funds were retrieved.

Related: Q3 2023 crowned most ‘damaging’ quarter for crypto amid $700M losses: Report

Exploiters frequently siphon funds from decentralized finance protocols and subsequently return the majority of the funds in exchange for assurances against prosecution. Critics argue that these incidents could be prevented if protocols implemented more effective bug bounty programs with improved rewards, as this might encourage hackers to submit legitimate bounties rather than resorting to attacks. In September, the blockchain security platform Immunefi introduced a ‘vaults’ bug-bounty program aimed at enhancing transparency, which it hopes will draw more hackers to legitimate bounty programs instead of illicit activities.