Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Starstream is suite of products for revenue aggregation, generation and smart contract deployments. It exists on the Metis L2 rollup.

The DistributorTreasury contract had a low-level call that took in arbitrary input. This allows an attacker to perform arbitrary function calls as the contract. To exploit this, they called withdrawTokens in the StarstreamTreasury to send to 532,571,155.859 $STARS to themselves. The treasury's owner was this contract, which gave it complete control to do whatever it wants.

Arbitrary calls via a low-level call is very bad practice. Make sure to restrict this otherwise this type of attack will be possible.