A security attack cost Skyward Finance, an open-source launchpad built on the NEAR chain, 1.1 million NEAR tokens (about 3 million US dollars). Aurora Lab’s community moderator Sanket Naikwadi initially revealed the discovery on Twitter, stating that they immediately notified Ref finance—a community-led DeFi platform built on the NEAR Protocol and the Skyward team.
The @skywardfinance was just exploited for ~1.1M $NEAR Tokens (Worth ~3M) . 😢
Thnx to @NearScout for noticing the treasury drain, he pinged me asking if something is wrong with skyward… then we looked into contract txns and found out about the exploit and sus txns.
— SankΞt Ⓝ⚡️| sanketn81.near ,sanketn81.lens 🛸 (@sanket_naikwadi) November 2, 2022
The attackers allegedly bought large amounts of Skyward tokens on Ref Finance, then “redeemed them through Treasury on Skyward Finance,” earning more than the worth of the Skyward tokens they initially invested.
He adds that it appears the hacker passed numerous arguments in a single transaction based on an analysis of the on-chain transaction data. So for every extra passed value, as noted by Sanket, the attacker got extra redemption without having Skyward Tokens.
“Although the Skyward team responded instantly, but since treasury contracts are locked those can’t be paused by anyone, not even the team,” as per his Tweets.
Skyward Treasury And Tokens Are “Effectively Worthless”
Skyward Finance reported via Twitter that the Skyward Treasury had been emptied via a contract flaw, leaving Treasury and Skyward tokens “effectively worthless,” but current and previous token sales remain unaffected.
We regret to inform you that the Skyward Treasury has been drained through a contract exploit, rendering the Treasury and the $SKYWARD token effectively worthless. However, current and previous token sales are unaffected.🧵
— Skyward Finance (@skywardfinance) November 2, 2022
The exploiter allegedly withdrew wrap.near several times in a single transaction. As a result, they advise users to withdraw their assets safely wherever possible and urge the community to stop interacting with the Skyward platform.
Following the exploitation, the Skyward Token dropped sharply from above $13 to $0.72–over 94% loss on CoinGecko.
There has been a significant increase in Decentralized Finance exploits, and virtually daily vulnerability reports are being published. The biggest month of the biggest year ever for hacking activity—October 2022—recorded more than 11 Defi protocol hacks, according to Chainalysis data, suggesting that 2022 is poised to exceed 2021 as the most active year for hacking ever.
The Cryptocurrency Post reported yesterday, November 2, that Deribit, the leading cryptocurrency options exchange by market share, lost up to $28 million as a consequence of an exploit on one of its hot wallets. Although Deribit stated that customer assets were not impacted and every loss was covered by company reserves.