Skyward Finance Allegedly Suffers $3M Loss in Exploit

The hacker allegedly redeemed over 1.1 million wrapped Near tokens in a loop from Skyward’s treasury contract in the said transaction. 

Skyward Finance, an initial DEX offering (IDO) platform, has reportedly suffered a loss of 1.1 million Near Protocol tokens, worth almost $3 million. The team behind the Launchpad project, which enables fair token distribution for projects on the Near Protocol, acknowledged the exploit and the loss, explaining that the “Skyward Treasury has been drained through a contract exploit.”

News of the exploit was shared on Twitter by Aurora Lab’s community moderator Sanket Naikwadi, who revealed that the exploit was first caught by a member of the Near Protocol community with the handle Nearscout.

The exploit, according to security company BlockSec, was perpetrated in just a single transaction. The hacker allegedly redeemed over 1.1 million wrapped Near tokens in a loop from Skyward’s treasury contract in the said transaction.

The hacker is also thought to have initiated the drain by purchasing lots of Skyward tokens on Ref Finance, before redeeming them through Skyward Finance, where they appear to have “got lots of NEAR than what 1 SKYWARD was worth.”

Ref Finance, a community-led multi-purpose decentralized finance () platform built on the Near Protocol, has also reportedly been notified of the drain.

BlockSec also discovered a flaw in the contract’s token-redemption function that failed to check for duplicate token account IDs. The security firm also revealed that the contract was open to the public and could be accessed by anyone who wanted to redeem Skyward Finance tokens for wrapped Near tokens.

Holders of SKYWARD Tokens were advised by Naikwadi to exchange or redeem their tokens elsewhere and to cut off communication with Skyward Finance.

“If you’re a SKYWARD Token holder, redeem/swap wherever you can and no longer interact with Skyward Finance. Hacker has already withdrawn NEAR to lots of different wallets,” he on Twitter.

The latest hack comes as exploits within the DeFi ecosystem continue to grow. Blockchain analytics firm Chainalysis recently labeled October 2022 as “the biggest month in the biggest year ever for hacking activity.”

As many as 44 exploits were responsible for more than $650 million in losses just last month.