- Starstream Finance had their treasury drained in an exploit and has advised anyone holding funds in AgoraDefi to withdraw them. The Team has announced this incident on their official Discord.
0xFFD90C77eaBa8c9F24580a2E0088C0C940ac9C48holds $50m+ of STARS minted via an unverified contract and were supplied to AgoraDefi as collateral, and then WETH was borrowed out. The attacker is repeatedly selling the tokens here.
Here is a quick background of all the projects involved here.
Agora DeFi is a full fair launch, community-owned protocol for Lending, Borrowing, and Swapping on Metis Andromeda. Starstream Finance is the first Yield Optimizer &andAggregator on Metis Andromeda. Metis is a Layer 2 scaling protocol that allows developers to run applications, process transactions, and store data on a separate layer above Ethereum.
By April-07-2022, 5 PM EDT, the hacker had transferred 900 ETH to Tornado Cash. Additionally, the hacker took advantage of the public
execute function in a
DistributorTreasury contract and withdrew STARS from the
The root cause of this exploit is the StarstreamTreasury contract’s owner
DistributorTreasury contract has a public
execute function, which has a low-level call. The hacker can thus use this function to generate withdraw messages and withdraw STARS from
StarstreamTreasury. Here is the link of the address of the hacker. Here is the link of one of the exploited transactions.
This bug allowed the hacker to drain treasury funds along with their blackhole vault and then use them to borrow on Agora. Borrowed funds were then used to increase the price of STARS. The attacker then used this to borrow even more, most of which was bridged off, with the rest being used to create STARS LP and sent to the Tethys lock address. 20K METIS was also sent to the Starstream treasury distributor. Over 500M STARS were supplied to Agora as collateral, and $8.2M of assets were borrowed in Metis, USDC, and ETH. So, this was not an exploit on Agora’s contracts or TWAPS, but there was an $8.2M debt against the STARS collateral on the system. This has no effects on the markets other than Agora.
Starstream Team is working with the Agora and Metis teams to resolve this. If the exploiter returns the funds, they will provide a 5% bounty. They have urged the exploiter to return the funds and contact the Metis team or us. They have also paused deposits to Agora DeFi. STARS collateral on Agora is set to 0. 20K Metis are returned to Agora DeFi now. Agora money market reward emissions have been temporarily turned off for Supply / Borrow. Agora DeFi Team will re-enable once they have an outcome with the Starstream team and plan to repay the debt.