Skyward Finance - REKT
Skyward Finance has come crashing down to earth.
The NEAR-based token launchpad had its treasury drained of 1.1M NEAR, worth approximately $3.2M at the time.
The exploit caused the price of SKYWARD to tank by ~90%:
Rather than the usual damage-control and downplaying, the team’s announcement concedes that the exploit “render[ed] the Treasury and the $SKYWARD token effectively worthless.”
Going on to explain that the contracts are fully immutable, the Skyward assured any projects currently launching via the platform that “existing and previous sales are not affected, so funds and proceeds can be withdrawn safely.”
But there was no such good news for Skyward holders:
We recommend users to withdraw their funds safely where they can and for the community to no longer interact with Skyward.
Was this incident an honest, albeit simple, mistake?
Or a planned ejector seat?
Credit: Sanket Naikwadi, BlockSec
Shortly after 5pm UTC yesterday, the exploiter redeemed (previously accumulated) SKYWARD for wNEAR from the treasury using the redeem_skyward function.
However, the function lacks proper verification of the token_account_ids parameter, allowing the attacker to loop the redemption of wNEAR by repeatedly passing their withdrawal within the transaction.
The exploiter repeated the exploited redemption process until the treasury had been drained of wNEAR.
Exploiter’s address: 5ebc5ecca14a44175464d0e6a7d3b2a6890229cd5f19cfb29ce8b1651fd58d39
Attack tx: 92Gq7zeh…
The fact that it took over a year for anyone to find this relatively simple exploit is remarkable.
Perhaps hackers are less familiar with the NEAR ecosystem and feel their time and resources can be put to use more profitably elsewhere…
Or maybe this was a planned exit-by-exploit, and the users were right to be concerned before launch…
This is the first leaderboard entry (#88) for a NEAR-based project; let’s hope we can learn something from it…
When headed Skyward, don't fly too NEAR to the sun.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
disclaimer:
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Jimbo's Protocol - REKT
Jimbo’s Protocol was hit with a flash loan attack in the early hours of Sunday, losing $7.5M. The team have sent the attacker an ultimatum. But for now, Jimbo is stuck in limbo.
Tornado Cash Governance - REKT
Cypherpunks strive to become ungovernable... but not like this. Tornado Cash's governance has been taken hostage via a trojan horse proposal. But now the hacker is proposing reversing the effects of their exploit. Hopefully this all turns out to be just a storm in a teacup.
Swaprum - REKT
Swaprum, an Arbitrum-based DEX, pulled the rug for $3M on Thursday. Certik, the project's auditor, has since updated Swaprum’s security score to “Exit Scam”. Too little, too late?