An exploitation attack at Stars Arena resulted in a loss of approximately 266,103 AVAX (~$2.88m), an event highlighted by the CertiK Skynet Alert system. The hack was executed via a reentrancy exploit, which allows an attacker to reenter and manipulate a function in a smart contract before it is resolved.
The funds are currently housed in the EOA 0xa2E account, which was similarly involved in a previous exploit of Stars Arena on October 5. The attacker manipulated values affecting price acquisition to get an inflated selling price for the tokens.
On-chain analytics firm PeckShield's initial analysis of this hack confirms a reentrancy issue with the Stars Arena: Shares contract. The exploit was used to update the weight when the share/ticket is issued, enabling the selling of one share at a significantly higher price – about 274k AVAX.