Skyward Finance Treasury Logic Bug

On November 3, 2022, the NEAR-based fundraising/IDO protocol Skyward Finance lost approximately $3.2 million through a flaw in its treasury redemption accounting. The attacker exploited a path where SKYWARD token redemptions did not correctly decrement the treasury's accounting, letting them redeem repeatedly against the same balance.

What happened

Skyward's treasury allowed SKYWARD holders to redeem tokens for a share of treasury assets. The redemption function's accounting failed to enforce that redeemed balances were burned/decremented before the assets were paid out — the recurring checks-effects-interactions / double-spend shape. The attacker looped redemptions, draining the treasury's NEAR holdings (~$3.2M).

Aftermath

• Skyward Finance effectively wound down after the treasury drain.
• One of relatively few catalogue entries on NEAR, illustrating the chain-agnostic nature of accounting bugs.

Why it matters

Skyward is a NEAR-side instance of the redemption double-spend pattern — the same class as Level Finance's reward double-claim and [Skyward]. The catalogue's recurring quiet thesis applies: NEAR's smaller DeFi ecosystem re-learned, at user expense, an accounting-discipline lesson the larger ecosystems had already paid for. The bug is chain-independent; the requirement — decrement/burn before you pay out, every time, on every value-moving path — is one every chain's builders rediscover the hard way.