Decoding SkywardFinance $3 Million Exploit | QuillAudits

Summary:

On the 2nd of November, 2022, Skyward Finance ( token issuance platform on NEAR blockchain that helped users with initial token distribution) was attacked. The cause of the attack was incorrect input checks in skyward.near contract that resulted in the draining of around 1.1 Million $NEAR tokens i.e. around $3.2 Million by the hackers.

Introduction to Skyward Finance:

Skyward Finance is a project based on NEAR Blockchain which is a fully permission-less open-sourced launchpad that allows Projects to launch their tokens without any liquidity with the best price discovery mechanism that’s resistant to bots and Sybil attacks.

Read more about the protocol here.

The Cause of the Attack:

The root cause of the attack was due to insufficient checks in the redeem_skyward function of skyward.near contract. This function was used to redeem the reward from the treasury.

If we look at the function redeem_skyward, it takes 2 input parameters i.e. skyward_amount and token_account_ids. In skyward_amount we input the amount we want to claim for reward and in token_account_ids we input ValidAccountIds.

In lines 169–170, the reward amount is calculated and skyward_burned_amount is updated.

If we look at the code above, there isn’t any check for duplicate token_account_ids. It can allow an attacker to pass the same ids again and again while calling the function and allow attackers to claim rewards multiple times.

The attack:

Attack Transaction: https://explorer.near.org/transactions/92Gq7zehKPwSSnpoZ7LGGtSmgmBb4wP2XNDVJqUZRGqz

Attacker: https://explorer.near.org/accounts/5ebc5ecca14a44175464d0e6a7d3b2a6890229cd5f19cfb29ce8b1651fd58d39

1. The exploiter effectively withdraws the wrap.near multiple times within one transaction. He called the redeem_skyward function passing the value in skyward_amount and token_account_ids parameters.
2. The attacker inserted the wrap.near address multiple times in the token_account_ids parameter. See below:

3. Here, As there was no check for duplicated token_account_ids, the attacker easily claimed reward multiple times and stole around $1.1 Million NEAR Token i.e. around $3.2 Million from this attack.

How this attack could have been prevented?

The attack could have been prevented by adding checks for duplicated token_account_ids in the redeem_skyward function at wrap.near contract. This would prevent attackers from claiming rewards multiple times.

After the Exploit :

On 3rd November, Skyward Finance announced the exploit and further communicated that their native token $SKYWARD became worthless

They recommended users withdraw their funds safely where they can. Also, they asked the community to no longer interact with Skyward.

Price Slippage:

The price of the $skyward token fell from $14 to $0.8 after the attack.

Reference:

https://twitter.com/WuBlockchain/status/1588009621381603328
https://twitter.com/skywardfinance/status/1587947957789331457

Web3 security- Need of the hour

Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

- Affiliate program ( Refer and secure web3 )

- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )

- Join Ambassdor program