Friend.tech copycat StarsArena patches exploit after some funds were drained

Ethereum

The StarsArena Web3 app on Avalanche has lost some of its funds due to a malicious attack, according to social media reports on October 5. 

StarsArena user Lilitch.eth discovered the exploit and announced it on X, formerly known as Twitter. Lilitch.eth claimed over $1 million was lost in the attack. The StarsArena team confirmed the attack, calling it a “war” against the app. They said the attack only resulted in approximately $2,000 in losses and the exploit has now been patched.

StarsArena is a Web3 social media app running on the Avalanche network. Similar to Friend.tech, it allows users to buy “shares” or tokenized assets issued by content creators. The issuers can grant token owners access to exclusive content or other perks. Avalanche has seen a surge of activity since StarsArena was launched, as the network’s daily transaction count increased by over 186% from October 3-4.

On the morning of October 5, Lilitch.eth declared on X that StarsArena was being drained of funds. “1.1 million dollars are being drained right now because of noob devs who couldn’t make a copy of http://Friend.tech that will work properly,” Lilitch stated, adding “If you hold ANY SHARES in StarsArena you should sell while you still can.” In the post, they showed an image of a contract at address 0xA481B139a1A654cA19d2074F174f17D7534e8CeC that contained approximately 107,329 Avalanche (AVAX) tokens, worth over $1 million at the time.

In response, some users accused Lilitch of “fudding” (spreading fear, uncertainty, and doubt). For example, ZSwapDEX developer Mork claimed that “no exploiter can profit from this because the gas to run the tx is higher than the Avax extracted” and “they are proxy contracts – able to be updated.”

Related: Friend.tech revenue surges over 10,000 ETH, TVL tops 30,000 ETH

The StarsArena team responded with a post on X stating that “THE EXPLOIT HAS BEEN FIXED.” It claimed that attackers had been spending $5 in gas to drain $1 from the app in an attempt to destroy its credibility. “We are at war,” the post stated, claiming that the app was experiencing “coordinated FUD.” The team held a Twitter Spaces event to explain to users what was happening. In the event, they explained that only around $2,000 had been lost in the attack.

Responding to the team’s post, Lilitch denied that attackers had been spending $5 in gas to drain $1. “Nobody was spending 5$ to get 1$ from your TVL, chill,” they stated. They claimed instead that attackers stopped whenever gas prices became too high to make the attack profitable. Lilitch also denied making “war” against the app. In another post, they claimed to support the app now that it has been patched, stating “the conflict was resolved, we are friend now @starsarena to the moon.”

Friend.tech users have been facing a wave of SIM-swap attacks, leaving its users and those of similar apps on edge. On October 5, the Friend.tech team implemented a function to remove login methods to help combat the problem.