Discover more from tactical_retreat’s stuff
It's a ponzi, stupid
I’d like to start off by addressing the obvious. Yes, Stars Arena (and other SocialFi platforms) are (mostly) ponzis. Most of crypto is a ponzi, honestly. Very little of actual value is produced by any participants.
The key thing that identifies SocialFi as a ponzi is the Bonding Curve. I’ve heard a lot of blather on spaces about “creator economies” but you could support that with tipping, subscriptions, and one-time fees.
A bonding curve ensures that as more people “invest”, late entrants pay more than early entrants. It ensures that there are winners and losers, and it provides the “investors” incentive to pump (and dump).
And that’s really the genius of SocialFi as a ponzi; it provides extremely clear incentives to the participants:
Room owners have an incentive to create volume and increase share price because they get a big cut.
Room owners can pump their own shares by buying them, and potentially dump them later.
People have an incentive to spread the ponzi for referral fees.
People who have invested in a specific room have an incentive to pump the room so they can dump at a higher price.
All this results in very clear winners (people who are early / influencers) and losers (people who get suckered in late). And let’s not forget the platform, which takes a cut as well.
In total, the taxes on buys AND sells comes out to 10%:
7% to room owner
2% to platform
1% to referrer OR platform if no referrer set
And boy, is it profitable:
Returning to an earlier point, the fact that the platform makes fees would be fine, if it actually provided value back to users. But it’s become clear that it was just a mechanism for people to hype up the ponzi. Currently, the team has earned more in revenue than there is TVL.
It has terrible UX, the platform is unstable, and it’s full of bugs.
I still get ‘failed to log in via twitter’ EVERY TIME even though it actually works.
New features? Nah.
Bot mitigation, banning scammers / spammers? Nah.
Lets talk more concretely about what went wrong.
The early days
When first announced, sentiment in Discord was negative.
Basically it was seen as a FrendTech fork except on a chain without the active hype to support it.
I wasn’t paying enough attention at the time, but somehow it blew up. People actually liked using it (and liked making money). Although it had some stability issues, so did FrendTech.
Although I don’t really like SocialFi as a concept, I was pretty hyped for the effect on the community. Everyone was excited and happy. For the first time in ages, Avax was making green candles. We were headed towards the promised land.
The first exploit
Those stability issues got worse over time, culminating in the first ‘exploit’ where attackers spammed zero-share sells to earn a tiny amount of avax per transaction.
For some reason, a ‘war room’ had to be assembled to make what is honestly a 1 line fix. Here, I’ll do it for free:
require(amount > 0, “can’t sell zero shares”);
From what I’m told, the dev couldn’t figure out how to update the proxy contract. You can actually see him fucking it up several times, on chain, recorded for posterity.
I was also told that after repeated requests, he did provide the source code to the contract (which was unverified). And he did receive feedback that there were issues with the specific function that dealt with adjusting the bonding curve.
I was also told (but have not been able to verify) that when asked on a space later in the day, he publicly stated that the contract could not be verified because there were issues with a potential vulnerability.
One thing I want to address is the fact that they claimed that instability in the site was because they were being attacked by bots. Now, I’m sure people were scraping the API. It’s inevitable.
But bot attacks? Give me a fucking break. They didn’t even have Cloudflare set up. How do you not have Cloudflare set up? It’s like the first thing you do.
Confirming that bots were not the issue, the later relaunch included Cloudflare proxying and the site was still a trainwreck that barely loaded.
The second exploit
Star Arena was exploited shortly thereafter, losing the entirety of the TVL (266K AVAX, 3M USD). The attacker used the code in the risky function that had a reentrancy exploit.
It’s important to note that this is the best-known EVM vulnerability. ChatGPT can spot this issue for you, if you’re stupid enough to not take it into account.
It’s also crazy that the contract was redeployed with speculative, untested, unaudited features available to be called by any user, after it had already been exploited once.
I cannot state enough how insane and clownish this is. When I heard this I actually assumed that the hack was an inside job, because no one could be this fucking stupid. But they also seem too fucking stupid to execute the exploit. We’ve discovered a new level of catch-22.
I was very upset.
So what went wrong?
Some have said that there should have been an audit for the code before launch, which I don’t agree with. Things blew up very fast, the TVL skyrocketed over the course of a few weeks. Small devs can’t afford an audit before launching a product like this.
Of course, after the hack, they claimed that there was an audit in progress.
Regardless, once there was a million dollars at risk and income was $30K per day, the right course of action would be to take a quarter of day of revenue and bribe a few auditors to drop what they were doing and do an unofficial audit ASAP.
I can name 3 qualified auditors in the Avax community off the top of my head. It would have been very easy to do, it could have been done in an day, and if they didn’t know anyone, Avalabs could have hooked them up.
Once the first exploit had occurred, that DEFINITELY should have happened. Everything after that point is on the team. Huge failure of judgement to just continue onward, especially after being warned about the latent issues.
The site went down for a week while the team did… stuff. I’m not sure what they did, other than migrate to a new contract with new wallet addresses, and get an audit.
The actual migration was a bit embarrassing to watch, as they executed a tx for every active user. But at least people got to watch things happening.
They didn’t include anything in the migration that allowed third party integrators (like myself) to correlate the previous user wallet to the new one, although they did provide a mapping a day later. They seemingly forgot to migrate referrals at first, although they did so 5 days later (with no announcement as far as I can tell).
The launch was… disappointing. The migrate experience was bad, everything immediately broke, and things only marginally got better over the next few days. I was told by many people that they depended on ArenaBook because the site itself wasn’t working.
How things could have gone
I don’t have any inside information on how things went down, but I can imagine the dysfunction, I’ve seen it before firsthand. Nontechnical people vastly underestimate the amount of effort required to make a product with a large user base function reliably. Rescuing an existing (but failing) product is almost HARDER to do.
It’s true that you can’t just throw people at a problem to solve it faster, but you can definitely try.
They had the funds, they had the income, they had the future earnings. There’s a great article by Time about fixing the Obamacare Website. That’s clearly not the scope of what had to happen here, but its the same kind of mentality was needed.
If I were in charge of turning around a project like this, I’d have hired probably 4-6 devs for a two week span, bribed them with a ton of money, and worked them like dogs. There were a ton of things that needed to get done and the work could have been parallelized.
Lead dev to organize all this stuff. Given the scale, it probably doesn’t need a dedicated eng manager / tech lead, so this person should be capable of filling gaps in other areas.
Smart contract dev to work on the contract changes required, communicate tightly with the auditors, script the migration, and test the shit out of both of those things.
UX dev to handle the changes required as part of the migration, tighten up the twitter integration, and improve performance for the UX. Leftover time could be spent on new features including some truly basic gaps. This person would probably be a long term hire, if possible.
Infrastructure dev to work on improving scalability, stability, and monitoring. It’s a tragedy that the site couldn’t stay up. They should have had probes that monitored response times, alerting on error rates, and autoscaling + min resource level cranked to the tits.
Dedicated dev assigned to creating a staging environment. I would put good money on there being no way to test changes other than locally / in prod. They should work with every other engineer and spend a lot of time on documentation for procedures.
Not all these roles would have to be permanent but they should have been filled, even if you had to pay 5K per day for each of them, every day for a week. Once it recovered to a steady state, it could be managed by 2-3 devs while putting out a steady stream of improvements.
Why didn’t they invest like this? It’s unclear to me. They had lightning in a bottle here, and the failings of the site really just put a damper on the whole thing.
Regardless, they spent too much time just barely treading water. Predictably, users became frustrated. The fact that spam bots and scam bots and tip begging became commonplace exacerbated issues; I don’t think they had the availability to pivot to fighting that when they should have, because they were trying hard to just to meet the bare minimum of ‘the site loads’.
But god damn are there a lot of bugs.
The fluffy side of Stars Arena
I’ll admit, although I find plenty to criticize on the technical execution, I don’t know enough to criticize the community building / marketing side of the operation. This is a pretty key area of building a product, and I am absolutely awful at it.
From what I can tell they did successfully manage to find passionate users. Every day there were multi-hour Spaces on twitter. Supposedly people were really enjoying using it and communicating about it.
How much of this was luck vs deliberate planning? I have no idea. I can say that I do find the marketing / communications part of the team to be absolute asshats. Clowns of the highest order.
Translation: I didn’t know what was going on so I made some shit up.
I mean the original guy was kind of retarded so I can understand why they kicked him out. But how did they kick him out? And why is he back?
Are you fucking kidding me? They made 600K in revenue and they need to raise more funds. From AVALAUNCH?
Yeah anyone expecting to get an airdrop out of this is well-regarded.
Doing literally anything except building the product. I think this idiot later got caught pumping and dumping people in his room and they had to disown him.
Anyway, for some reason @VirtualQuery and I ended up building a really nice analytics site on top of this can of shit.
There was some skepticism at the outset.
But I like to think we ended up with a pretty nice product. Free to use for all, and people seemed to like it.
Fortunately, some monetization options were found.
This was helped by the fact that they didn’t copy the referrers over, and our site worked, unlike the arena. Oh, found this screenshot of them lying about that.
So anyway, we made some money in the first couple of days, until they migrated over the previous referrers, then our income dropped quite a bit. There’s no way in the contract for tools like ours to take a cut other than by claiming the referrals. We had a tip jar on the site, but almost no one bothered to tip.
So for lack of a better option, and against my personal preference, we started ticket gating all new ‘premium’ features. Existing features all stayed free.
This had the somewhat predictable effect of making our ticket prices jump. Which is good for our arena fees, not so good for users being able to access our tools. Later on we rolled out a subscription-based fee. Possibly too late, as things were starting to look a bit grim.
And we made some decent money off this. We got about 60 subscriptions, a bit less than the 100 I was hoping for. Kelso_MKK@ generously donated this way (I assume), since he bought 6 subscriptions for himself (and this thing will be dead in a week).
Of course, we got called grifters in the process.
This guy was a treat. Really big ‘No, it is the children who are wrong’ vibes from him as literally half of avax ct shit on him for his terrible opinions.
This coming from a guy who runs a ‘paid calls’ discord and is the founder of a ‘protocol’ that has a ‘coming soon’ sign for six months.
I wouldn’t be surprised if the TVL continues to drop in chunks of a few thousand at a time. The team seems uninterested in actually building a product or incapable of doing so, too much circle-jerking going on.
Site won’t load? They’ll get to it after the cap table is worked out.
Biggest ball fumble I think I’ve ever seen. And maybe you’re thinking “Who is tactical_retreat to be making these kinds of criticisms”. Which I’ll admit is fair. You’ll never catch me saying something this retarded.
At least I had some fun along the way. ArenaBook will stay up for at least the next month. I’ll leave you with one final meme, courtesy of the infamous @geeeeeee6793.