So what made the StarsArena rug hard to spot?
The UI was smooth even after the initial rush of users. As I had mentioned, a good UI/UX is indicative of good engineering. And it’s natural to extrapolate that to mean good security. Unfortunately that wasn’t the case here
The founder of Avalanche was outright shilling StarsArena. This really added to the perceived “legitimacy” and made me much more comfy with it
SA did 637k in fees over the last day. The price of $AVAX was +30% from when SA launched to the high on Oct 6th. SA was very quickly gaining users. And in comparison it was clear they could push for a TVL that was a magnitude greater (from FriendTech’s). Why compromise that?
Given the above, SA felt “safe”. If I had looked a little more carefully, the signs were there that it wasn’t. So what did I glance over?
A verified smart contract means the actual source code matches up with whatever is running in that particular address
It is not definitive that an unverified smart contract means a rug, but it is a red flag. Why not go the extra step to hide it?
SA’s smart contract was unverified. Knowing this would’ve made me think twice
Folks like cygaar and foobar had mentioned this, and this was 100% on me for not paying attention and verifying
This also had a vulnerability before this that was quickly patched up — another red flag.
The silver lining to this debacle for me was sizing responsibly – don’t put capital at risk that you can’t afford (financially + mentally) to lose, especially within newer protocols
I need to be more diligent and thoughtful around what I share. SocialFi is an interesting, shiny new thing – naturally you want to onboard other folks. I’ve tweeted a lot about its growth in the last few days which has some negative externalities. I’m deeply regretful if this affected anyone