In November 2022, Skyward Finance became the first project in the NEAR ecosystem on the Rekt leaderboard of the biggest DeFi hacks.  The attacker exploited vulnerabilities in the Skyward contracts to drain approximately $3.2 million in tokens from the project.

Inside the Attack

The Skyward hack was made possible by a vulnerability in the redeem_skyward function within the project’s smart contracts.  The purpose of this function is to allow a user to redeem the SKYWARD tokens that they have earned for wNEAR tokens stored within the contract.

The redeem_skyward function failed to properly validate token_account_ids when processing redemptions.  The function verified that a provided token_account_id was valid but not that it was unique.  The attacker exploited this by sending in multiple arguments in a single call to the function, allowing them to redeem the same SKYWARD tokens multiple times.

Lessons Learned From the Attack

The Skyward Finance hack was possible because the contract unnecessarily allowed multiple token_account_ids to be passed to the redeem_skyward function when only one was necessary.  Additionally, no check was performed to ensure that the inputs were both valid and unique.

This type of simple vulnerability could have been detected and remediated by a smart contract audit before the contract was deployed to the blockchain.  For more information on how to secure your project’s smart contracts, reach out to our Web3 security experts at halborn@protonmail.com.