Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 163Smart Contract Bug

Stars Arena SocialFi Drain

$2.9M drained from Stars Arena, an Avalanche friend.tech-style SocialFi app, via a share-price/withdrawal logic flaw at the peak of the SocialFi hype.

Date
Victim
Stars Arena
Chain(s)
Avalanche
Status
Partially Recovered

On October 7, 2023, Stars Arena — an Avalanche-based friend.tech-style SocialFi application — was drained of approximately $2.9 million through a flaw in its smart contract's share-price / withdrawal logic. The exploit landed at the peak of the late-2023 "SocialFi" hype cycle, when friend.tech and its clones were attracting significant speculative capital.

What happened

Stars Arena, like friend.tech, let users buy and sell "shares" (or "tickets") of other users along a bonding curve — buying a creator's shares cost more as more were bought, and holders earned fees. The protocol held substantial AVAX as the collateral backing all the share positions.

The exploit targeted the share-price / withdrawal accounting. The specific flaw let the attacker withdraw far more AVAX than their share position justified — a class of bug endemic to fast-cloned bonding-curve contracts where the buy/sell price math and the collateral accounting are not rigorously kept in sync.

The attacker drained approximately $2.9M in AVAX — the bulk of the protocol's collateral backing all users' share positions.

Aftermath

  • Stars Arena paused the contract and acknowledged the breach.
  • The team negotiated with the attacker and recovered a significant portion of the funds (the increasingly-standard "exploit, negotiate, partial return for bounty" resolution).
  • Stars Arena relaunched with an audited contract but the SocialFi hype cycle had largely passed by the time it did.

Why it matters

Stars Arena is a representative entry in the fast-clone-of-a-hyped-primitive failure category. The friend.tech model was novel and attracting attention; numerous clones (Stars Arena, others) shipped quickly to capture the speculative flow. Speed-to-market beat security review, and the bonding-curve + collateral-accounting math — which is deceptively easy to get subtly wrong — was the predictable failure point.

The structural pattern recurs every hype cycle:

  • 2020 yield-farming: fast Compound/Curve forks → reentrancy, donation attacks.
  • 2021 DeFi 2.0 / OlympusDAO forks: → Snowdog-class mechanism failures.
  • 2023 SocialFi / friend.tech clones: → Stars Arena-class bonding-curve accounting bugs.
  • 2024-2026 restaking / LRT / points: → the newest frontier of the same dynamic.

The meta-lesson: whatever primitive is currently hyped, fast clones of it will ship with the accounting subtly wrong, and the speculative capital chasing the hype will be the collateral that gets drained. Stars Arena is one clean instance; the pattern is perennial, and the defensive advice — don't deposit meaningful capital into a days-old fork of a weeks-old primitive — is perennially ignored because the hype cycle's upside is, briefly, real.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-stars-arena-hack-october-2023
  2. [02]crypto.newshttps://crypto.news/avalanche-based-stars-arena-quells-coordinated-fud-after-patching-exploit/
  3. [03]rekt.newshttps://rekt.news/stars-arena-rekt

Related filings