Just over a week after its launch, Stars Arena, an Avalanche-based decentralized social media application, reported a major security breach with its smart contract.

In an X post on Oct. 7, the Stars Arena team notified users of the exploit and urged them not to deposit any funds on the platform.

“Our smart contract was exploited and the funds were drained. The site is currently under DDOS attack. We are working on a solution to get everyone’s funds recovered and have the Arena move forward,” said the team in another update shortly after. 

Blockchain security firm SlowMist estimated that 266,103 AVAX tokens had been stolen by the hacker, worth close to $3 million at the time of the exploit. 

Stars Arena is a fork of Friend.tech, the popular social media protocol that lets users trade social tokens tied to X (formerly Twitter) accounts. Like Friend.tech, Stars Arena quickly went viral in the days that followed its launch in late September, and added millions of dollars in value. 

On Oct. 5, an X user “liletch.eth” claimed to have discovered an exploit on Stars Arena, where an alleged $1.1 million was being drained. At the time, many users labelled the post “FUD” and a few hours later, Stars Arena declared that the exploit “had been fixed.”

However, after blockchain security firms began looking into the contract and confirming liletch.eth’s findings, the Stars Arena team changed its tune. 

In an X Spaces session, the team addressed the exploit, apologizing and offering solutions to move forward. 

The team still appears to have the backing of several prominent members of the crypto community, including Ava Labs founder Emin Gün Sirer. 

“Stars Arena is a profitable service that makes money. The amount lost, $3m, is something that SA can recover in about 10 days or so. Worst case, the team can borrow $3m and pay it back with interest,” said Gün Sirer.