One of the most popular platforms of recent times, the Avalanche-based social protocol Stars Arena, has been revealed to be facing a critical security vulnerability that could potentially allow the theft of user funds worth 1.1 million dollars.
@starsarenacom, you fucked up— lilitch.eth (@0xlilitch) October 5, 2023
1.1 million dollars are being drained right now because of noob devs who couldn't make a copy of https://t.co/h7traLwG9i that will work properly
If you hold ANY SHARES in StarsArena you should sell while you still can
read next⬇️ pic.twitter.com/HzgXvJc8ju
According to an analyst named lilitch.eth, the security vulnerability may have initially arisen due to a faulty getPrice() function within the contract.
So how is the contract getting drained right now?— lilitch.eth (@0xlilitch) October 5, 2023
THEIR getPrice() FUNCTION IS BROKEN
You can sell 0 shares and get AVAX. Yep. You can do this right now and it will work.
But where do this extra AVAX come from?
read next ⬇️ pic.twitter.com/0RM7NHxLeq
This vulnerability could also potentially allow hackers to empty the contract by calling the smart contract and transferring the funds to their wallets.
They point out that due to the high transaction fees on the Avalanche network, it doesn’t make sense for hackers to steal funds. However, this still does not completely eliminate the risk of users losing their funds.
Source: The Block