On the 7th of November 2023, Stars Arena on the BNB Chain was attacked. The attack was made possible due to a logical flaw in the staking contract. Around $151k worth of tokens were stolen by the attacker.
Stars Arena is a Social Token Platform on Avalanche Chain. For more information, check out their website.
Vulnerability Analysis & Impact:
Attacker Address: 0x1a7b15354e2f6564fcf6960c79542de251ce0dc9
Victim Contract: 0x1694d7fabf3b28f11d65deeb9f60810daa26909a
The Root Cause:
- The root cause of the exploit was a logic flaw in TrustPad’s Staking Contract
- The receiveUpPool() function was responsible for accepting the upPool request from another pool and moves the specified amount of tokens from the user and then re-locks, and then change the lock time period to now. Here, upPool means moving the tokens to another pool.
- Notice how msg.sender is not verified in the above contract. This allowed attacker to continuously call receiveUpPool() and withdraw()
- Consequently, the attacker acquires the capability to immediately withdraw all staked funds and boost the pending reward status through the execution of the withdraw() function.
- Following the repetition of these actions, the attacker employs the stakePendingRewards() function to move all pending rewards into the staked amount state, enabling them to withdraw these rewards as profit later using the withdraw() function.
- First, the attacker deposit TPAD token into LaunchpadLockableStaking contract with the help of receiveUpPool() function.
- Then the attacker repeatedly call stakePendingRewards() and withdraw function to increase the impact of the attack.
- Finally, the attacker was able to withdraw all the funds.
Flow of Funds:
Here is the fund flow during and after the exploit. You can see more details here.
Soon after the hack, the attacker started to transfer funds to Tornado Cash. See here.
After the Exploit
- The Project acknowledged the hack via their Twitter.
Nov-06-2023 04:02:52 PM +UTC – The attacker started the attack after creating a malicious contract.
Nov-07-2023 01:56:56 AM +UTC – The attacker repeatedly called vulnerable function. This was the last transaction spotted
Nov-07-2023 12:32:42 PM +UTC – The attacker started depositing funds to Tornado Cash.
The price of the TPAD token dropped from $0.120 to $0.0016 immediately following the attack. It is currently trading at $0.0011 as of the time of writing this blog. See here.
How could they have prevented the Exploit?
Insufficient input validation and logical flaws have been the target of hackers for a very long time.
It is recommended for protocols to prioritize testing and fuzzing to ensure all the edge cases have been successfully mitigated.
Web3 security- Need of the hour
In today’s digital era, Web3 security has become an indispensable aspect of the blockchain industry. QuillAudits stands at the forefront of this domain, offering top-notch cybersecurity solutions that safeguard millions in assets. Our team of experts is adept at utilizing advanced tools and techniques to ensure the highest level of security for your Web3 projects.
Partner with QuillAudits :
Interested in collaborating with QuillAudits? Explore our partnership opportunities designed to enhance Web3 security across the ecosystem: