The hacker exploited a vulnerability in Skyward’s smart contracts to drain the Skyward Treasury. The launchpad said the incident rendered its Treasury and native $SKYWARD token “effectively worthless.” Skyward assured its users that the breach did not affect “previous and existing sales,” but instructed them to withdraw their funds. “We recommend users to withdraw their funds safely where they can and for the community to no longer interact with Skyward,” Skyward Finance said on Twitter.
Bug in Skyward Smart Contracts
Skyward Finance is the first Initial Decentralized Exchange Offering (IDO) platform on the NEAR protocol. It is a permissionless crowdfunding platform that allows new crypto projects to list their tokens for sale. Until recently, the most popular way to list a new token for sale was through an initial coin offering (ICO). However, ICOs have developed a poor reputation due to a rise in rug-pulling scams and general concerns about safety and trustworthiness. Skyward Finance allows users to redeem wrap.near tokens for $SKYWARD. However, according to Blockchain security firm BlockSec, this function contains a bug — it does not check for duplicate IDs. “In this case, the attacker is able to redeem the treasury tokens multiple times with the same skyward share withdrawn once,” BlockSec tweeted. Skyward confirmed that the attacker withdrew wrap.near tokens multiple times within a single transaction. Aurora Lab’s community moderator Sankey Naikwadi alerted Skyward to the breach, but said they couldn’t stop it. “Although the Skyward team responded instantly, but since treasury contracts are locked those can’t be paused by anyone, not even them,” Naikwadi tweeted. Skyward Finance confirmed this saying “no one can pause or prevent future issues with the $SKYWARD token – not even us.”
Crypto Heists on the Rise
Hackers continue to exploit undiscovered vulnerabilities to steal enormous sums from crypto and decentralized finance (DeFi) projects. In late October, a malicious actor exploited a previously unknown vulnerability in Team Finance’s Uniswap migration function to steal tokens worth over $15 million. Blockchain analysis firm Chainalysis described October 2022 as “the biggest month in the biggest year ever for hacking activity.” Halfway through the month, hackers had already accumulated stolen loot worth $718 million from DeFi protocols. However, this figure pales compared to other breaches, such as the $600 million heist from the Poly Network in December 2021. This year, hackers have raked in millions from projects such as Beanstalk Farms and Wintermute.