3 min read

Decoding Skyward Finance Smart Contract Vulnerability

On November 02, 2022, Skyward Finance experienced a vulnerability exploit and lost over…

Skyward Finance Smart Contract Vulnerability

TL;DR#

On November 02, 2022, Skyward Finance experienced a vulnerability exploit and lost over 1.08 million $NEAR tokens worth approximately $3.2 million.

Introduction to Skyward Finance#

Skyward Finance is an on-chain asset issuance IDO platform that facilitates price discovery and equitable token distribution on the NEAR protocol.

Vulnerability Assessment#

The vulnerability was caused by a lack of check and parameter validation in one of the smart contract's functions.

Steps#

  1. In the exploit transaction , the hacker effectively withdrew wrap.near tokens multiple times within one transaction.

  2. The exploiter purchased a large quantity of $SKYWARD tokens on Ref Finance before redeeming them on Skyward Finance via Treasury.

  3. The vulnerability existed in the contract's redeem_skyward function, which is used to redeem the treasury from the protocol.

  4. This function did not validate whether the passed in values of token_account_ids are duplicate entries.

  1. The attacker can thus claim treasury token rewards multiple times by using the same token account id.
  1. The attacker sent in duplicate token_account_id and used the loop values to deposit the rewards multiple times.

Aftermath#

The team informed that the Skyward Treasury was drained due to this attack, effectively rendering the Treasury and the $SKYWARD token worthless. They added that the contracts are fully locked, meaning that no one can pause or prevent future issues with the $SKYWARD token.

The lack of a recovery plan during hacks or exploits is typically indicative of an exit scam. A few of these activities leading to rug-pull in this industry are premeditated and self-made by the team in order to avoid prosecution or gain media attention before planning for their next venture.

How to prevent such an attack vector#

This exploit could have been avoided if proper validation techniques had been used to ensure that no duplicate token_account_ids were passed during the functional call. It is also recommended that such values are not passed as parameters, because they can be easily manipulated.

Protocol, and Platform Security#

Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.


About Us#

Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.

Join us in our mission to cover, protect, and secure on-chain digital assets.

Official Website: https://neptunemutual.com
Blog: https://blog.neptunemutual.com/
Twitter: https://twitter.com/neptunemutual
Reddit: https://www.reddit.com/r/NeptuneMutual
Telegram: https://t.me/neptunemutual
Discord: https://discord.gg/2qMGTtJtnW
YouTube: https://www.youtube.com/c/NeptuneMutual
LinkedIn: https://www.linkedin.com/company/neptune-mutual

By