Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
According to SlowMist, Stars Arena appeared to have been stolen due to a major security breach in its smart contract. Currently, the hacker has transferred 266,103 AVAX to the address (0xa2Eb...ad7A). The address (0xa2Eb...ad7A) transferred 50.32 AVAX to FixedFloat on October 6. On October 12, Stars Arena tweeted that they have recovered approximately 90% of the lost funds. An agreement has been reached with the hacker to return the funds, with a 10 percent bounty and 1,000 AVAX lost in the cross-chain bridge. 266,104 AVAX were lost, and the hacker returned 239,493 AVAX in two transactions. 27,610 AVAX were paid as a bounty. Attack method (per SlowMist): Reentrancy Attack. Reported loss: $ 2,900,000.
- chain
- —
- protocol
- Stars Arena
- bug_class
- reentrancy
- date_occurred
- 2023-10-05
- loss_usd
- $2,900,000
- source_id
- sm:stars-arena::2023-10-05