Beosin: Analysis of the Attack on StarStream

On April 8, 2022, according to Beosin-Alert, StarStream Finance’s DistributorTreasury contract was exploited for 532M $STARS, then 900ETH was swapped out by the hacker. Beosin security team analyzed the incident and the results are as follows:

StarStream Introduction

Starstream is a suite of products that provides revenue aggregation, revenue generation and one-click smart contracts on Metis L2 rollup. The protocol is maintained by various devs and managed by STARS holders.

● Transaction hash:

0xb1795ca2e77954007af14d89814c83b2d4f05d1834948f304fd9d731db875435

● Exploiter’s address:

0xffd90c77eaba8c9f24580a2e0088c0c940ac9c48

● Contract that launched the attack:

0x75381c1f12733fff9976525db747ef525646677d

● Attacked contract:

0x6f99b960450662d67bA7DCf78ac959dBF9050725

Attack Process

1. The project party (0x000007-d653cd) created StarstreamTreasury (0x1075da-0c90e9) and DistributorTreasury (0x6f99b9- 050725) contracts and transfered the ownership of the StarstreamTreasury contract to DistributorTreasury.

2. The attacker exploited the unsafe low-level call in the execute function of the DistributorTreasury contract to perform external function execution. This allowed the attacker to use this to call withdrawTokens in the StarstreamTreasury contract to withdraw a total of 532,571,155.859 $STARS from the contract.

Vulnerability Analysis

The root cause of this vulnerability is that the DistributorTreasury contract has an insecure low-level call which can be utilized by an attacker to perform arbitrary function execution.

Fund Tracing

The current flow of funds is shown below:

Summary

In response to this incident, the Beosin security team recommends:

  1. Smart contracts devs should pay attention to permission control when designing and implementing key operations;

  2. Before the project goes live, it is highly recommended to conduct a professional contract security audit to avoid security risks.
    Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc.
    Beosin can provide professional security audit services. For more details, please visit our official website or contact us via Twitter, Discord or Telegram, etc.

    Contact US

    Website: https://beosin.com/

    Email:contact@beosin.com

    Twitter: https://twitter.com/Beosin_com

    Telegram: https://t.me/beosin

    Medium:https://medium.com/@Beosin

    Github: https://github.com/Beosin20180329

    Discord: https://discord.com/invite/B4QJxhStV4

Subscribe to Beosin
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.