In a recent incident on October 5, the StarsArena Web3 app on the Avalanche network fell victim to a malicious attack, resulting in the loss of a significant amount of funds. The attack was brought to light by a user with the handle Lilitch.eth, who raised the alarm on X (formerly known as Twitter). According to Lilitch.eth, the attack led to a loss of over $1 million. The StarsArena team acknowledged the attack and referred to it as a “war” against their app. However, they tried to downplay the extent of the damage, stating that the losses amounted to only approximately $2,000. They also assured users that the exploit responsible for the attack had been patched.
StarsArena is a Web3 social media app that operates on the Avalanche network. Similar to Friend.tech, it provides users with the opportunity to purchase “shares” or tokenized assets issued by content creators. These tokens offer various benefits, such as access to exclusive content or other perks. Following the launch of StarsArena, Avalanche experienced a surge in activity, with daily transaction counts increasing by over 186% from October 3-4.
On the morning of October 5, Lilitch.eth posted on X, claiming that StarsArena was being drained of funds to the tune of $1.1 million. They criticized the developers, referring to them as “noobs” who couldn’t create a proper copy of Friend.tech. They urged users who held any shares in StarsArena to sell while they still could. To support their claim, Lilitch.eth shared an image of a contract with the address 0xA481B139a1A654cA19d2074F174f17D7534e8CeC, which contained approximately 107,329 Avalanche (AVAX) tokens valued at over $1 million at the time.
Not everyone viewed Lilitch.eth’s claims in a favorable light. Some users accused them of spreading fear, uncertainty, and doubt (FUD). Mork, a developer from ZSwapDEX, argued that the attacker couldn’t profit from the attack because the gas cost of executing the transaction was higher than the Avax obtained. Mork also pointed out that the contract being exploited was a proxy contract that could be updated.
The StarsArena team swiftly responded to the allegations with a post on X, stating that the exploit had been fixed. They claimed that the attackers were intentionally spending $5 in gas to drain $1 from the app, solely aiming to tarnish its credibility. They described the situation as a “war” and suggested that coordinated FUD was being spread. The team organized a Twitter Spaces event to update and educate users about the ongoing situation. During the event, they clarified that the actual loss incurred due to the attack was around $2,000.
In response to the team’s post, Lilitch.eth denied the claim that attackers were spending $5 in gas to drain $1. They clarified that attackers would cease the exploitation whenever gas prices became too high to make it financially viable. Lilitch.eth also refuted the idea that they were waging a war against the app. They expressed their support for StarsArena and proclaimed that the conflict had been resolved, emphasizing unity by stating “we are friend now @starsarena to the moon.”
Friend.tech, a similar app to StarsArena, has recently faced a series of SIM-swap attacks. This has left users of both platforms on edge. In response to these incidents, the Friend.tech team implemented a function on October 5 to remove certain login methods, aiming to combat the problem and enhance user security.