Stars Arena has recovered 90% of the looted money after onchain negotiations
Social media app Stars Arena has recovered approximately 90% of the money it lost after being hacked, according to an announcement from the group X (formerly Twitter) on October 11. The recovery happened after a four-day hiatus on the chain, blockchain data shows. The attacker is allowed to keep more than 10% of the money as a “white hat” reward.
Update
We have recovered about 90% of the lost funds.
We have reached an agreement with the individual responsible for the recent security breach.
Money back for 10% bonus + 1000 AVAX lost in bridge.
Total money lost:…
— Stars Arena (@starsarenacom) October 11, 2023
StarsArena is an app on Avalanche, a social media app that allows users to purchase exclusive content and other perks for their favorite content creators. It is often compared to Friend.tech, a similar app that runs on the Base network.
Stars Arena was used on October 5. X user Lilitch.eth claimed to have lost more than $1 million in the attack, while the app's developers said only about $2,000 worth of crypto was lost. The smart contract used was upgradeable, and the team patched the exploit and started with new code on the day of the attack.
On October 7 Added 0x9691D81D82222E445F27E We send this offer only if you are unlocked to October 10. We will take legal action against you.
The address listed in the body of the message is the official Stars Arena: Shares contract, this message appears to have been sent by the team. The attacker did not directly respond to this message. Instead, on October 11, they sent a reply to a different address saying, “I want to cooperate.”
A series of onchain messages occur between the team and the attacker from this point forward. At one point, the team asked the attacker to respond using the Blockscan chat app, but the attacker replied that the team had its anti-spam filter on and could not receive messages through Blockscan.
07:21 pm UTC The team sent a final message to the attacker. “We agreed to a 10% bonus,” he said. “The other half will be sent, so recognizing that this is a bleaching operation.”
At 7:43 pm UTC, the team announced on Twitter that the attacker had lost 90% of the stolen funds minus 1,000 Avalanche (AVAX) in a cross-chain bridge. According to the group, 266,104 AVAX (approximately $2.4 million in today's value) were withdrawn from the app, while 239,493 AVAX (approximately $2.2 million) were recovered. This shows that more than 89.9% of stolen funds have been recovered.
Related: Q3 2023 wins crown as most ‘disruptive' quarter for crypto amid $700M losses
Exploiters deplete funds through decentralized financial protocols, then return most of the funds in exchange for a plea agreement. Critics say these attacks could be avoided if protocols had more robust bug bounty programs with better payouts, which could entice hackers to offer legitimate bounties instead of attacking protocols. In September, blockchain security platform Immunefi launched its “Vaults” bug bounty program in hopes of increasing transparency and attracting more hackers to legitimate bounty programs and away from illegal attacks.