Starstream Finance Hacked, Around $4M Stolen

Key Takeaways:

  • Starstream Finance had their treasury drained in an exploit and has advised anyone holding funds in AgoraDefi to withdraw them. The Team has announced this incident on their official Discord.
  • Wallet 0xFFD90C77eaBa8c9F24580a2E0088C0C940ac9C48 holds $50m+ of STARS minted via an unverified contract and were supplied to AgoraDefi as collateral, and then WETH was borrowed out. The attacker is repeatedly selling the tokens here.
Starstream Finance Hacked, Around $4M Stolen

Here is a quick background of all the projects involved here.

Agora DeFi is a full fair launch, community-owned protocol for Lending, Borrowing, and Swapping on Metis Andromeda. Starstream Finance is the first Yield Optimizer &andAggregator on Metis Andromeda. Metis is a Layer 2 scaling protocol that allows developers to run applications, process transactions, and store data on a separate layer above Ethereum.

By April-07-2022, 5 PM EDT, the hacker had transferred 900 ETH to Tornado Cash. Additionally, the hacker took advantage of the public execute function in a DistributorTreasury contract and withdrew STARS from the StarstreamTreasury contract.

Starstream Finance Hacked, Around $4M Stolen

The root cause of this exploit is the StarstreamTreasury contract’s owner DistributorTreasury contract has a public execute function, which has a low-level call. The hacker can thus use this function to generate withdraw messages and withdraw STARS from StarstreamTreasury. Here is the link of the address of the hacker. Here is the link of one of the exploited transactions.

Starstream Finance Hacked, Around $4M Stolen

This bug allowed the hacker to drain treasury funds along with their blackhole vault and then use them to borrow on Agora. Borrowed funds were then used to increase the price of STARS. The attacker then used this to borrow even more, most of which was bridged off, with the rest being used to create STARS LP and sent to the Tethys lock address. 20K METIS was also sent to the Starstream treasury distributor. Over 500M STARS were supplied to Agora as collateral, and $8.2M of assets were borrowed in Metis, USDC, and ETH. So, this was not an exploit on Agora’s contracts or TWAPS, but there was an $8.2M debt against the STARS collateral on the system. This has no effects on the markets other than Agora.

Starstream Team is working with the Agora and Metis teams to resolve this. If the exploiter returns the funds, they will provide a 5% bounty. They have urged the exploiter to return the funds and contact the Metis team or us. They have also paused deposits to Agora DeFi. STARS collateral on Agora is set to 0. 20K Metis are returned to Agora DeFi now. Agora money market reward emissions have been temporarily turned off for Supply / Borrow. Agora DeFi Team will re-enable once they have an outcome with the Starstream team and plan to repay the debt.

Default image
Yash Kamal Chaturvedi

Btech Computer Science, Maharshi Dayanand University, Rohtak (2023)