starstream-finance-6Starstream FinanceAngoraDefi reported that over $8.2 million were drained due to a vulnerability in Starstream's distributor treasury contract. SlowMist (https://twitter.com/SlowMist_Team/status/1512482679660245000?s=20&t=stygd_MwbsW0aBElMHUr7Q) investigated and reported the following findings: WithdrawTokens function in the StarstreamTreasury contract can only be called by the owner to withdraw the reserves in the contract. On 4/7/22 @ 11:58:24 PM +8UTC, ownership of the StarstreamTreasury contract was transferred to a new DistributorTreasury contract (0x6f. . 25). The execute function in the new DistributorTreasury contract had a bug that allowed any user to make external calls through this function. The hacker used this function to call the withdrawTokens function to withdraw 532,571,155.859 stars stored in the contract. The stolen #STARS were used as collateral on Agora DeFi to borrow funds. Part of the borrowed funds was then used to increase the price of STARs to increase their collateral.

Detail Analysis

< Back

Starstream Finance

Submit Incident Report

Date:

Status:

Count:

Contributor:

April 7, 2022

Verified

zerofriction.io

Loss Amount:

8,200,000

Recovered Amount:

Currency:

Dollars, STARS

KYC By:

Audit By:

None

Solidity Finance, Tech Audit

Website:

https://starstream.finance/

Twitter:

https://twitter.com/starstreamfin

Discord:

https://discord.com/invite/FSTQQ2nWyE

Telegram:

No data

Medium:

No data

Github:

No data

Key Indicators

Platform:

Type:

Category:

Method:

Metis L2

Protocol

Yield Aggregator

Contract Vulnerabilities

Extended Method:

Visibility issue

Data Sources:

https://docs.starstream.finance/changelog/ir-07-04-22

AngoraDefi reported that over $8.2 million were drained due to a vulnerability in Starstream's distributor treasury contract. SlowMist (https://twitter.com/SlowMist_Team/status/1512482679660245000?s=20&t=stygd_MwbsW0aBElMHUr7Q) investigated and reported the following findings:

WithdrawTokens function in the StarstreamTreasury contract can only be called by the owner to withdraw the reserves in the contract. On 4/7/22 @ 11:58:24 PM +8UTC, ownership of the StarstreamTreasury contract was transferred to a new DistributorTreasury contract (0x6f. . 25).

The execute function in the new DistributorTreasury contract had a bug that allowed any user to make external calls through this function. The hacker used this function to call the withdrawTokens function to withdraw 532,571,155.859 stars stored in the contract.

The stolen #STARS were used as collateral on Agora DeFi to borrow funds. Part of the borrowed funds was then used to increase the price of STARs to increase their collateral.

DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.

Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.

< Back