Stars Arena: Reentrancy
Stars Arena's "fix" for its first exploit introduced a reentrancy bug that drained the entire $2.9M TVL less than 24 hours later.
Summary #
Stars Arena suffered a SocialFi (FriendTech clone) on 2023-10-07, resulting in a loss of approximately $3M.
What happened #
Stars Arena's "fix" for its first exploit introduced a reentrancy bug that drained the entire $2.9M TVL less than 24 hours later.
Linked factors #
- RD-F-001 — causal : ★ Audit scope mismatch — exploited code outside scope [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed] || ★ Audit scope mismatch — full field name [via dashboard_risk_factors/Was exploited code in audit scope?: N/A — no audit existed]
- RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited]
- RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — second exploit used contract deployed as "fix" for first exploit, hours before attack] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — second exploit used contract deployed as "fix" for first exploit, hours before attack]
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: No]
- RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Proxy upgrade between exploit 1 and exploit 2 introduced the reentrancy bug; new implementation was unverified]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — FriendTech clone]
- RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — second exploit used contract deployed as "fix" for first exploit, hours before attack]