HBARX: Update on NearX security incident

Update on NearX security incident
On 16 Aug 2022, an exploit was found and used on Stader’s liquid staking solution on the NEAR blockchain. The attack was quickly discovered and contained, the total value loss was limited to 165k Near (~800k USD). In this blog, we will take a deeper look at the nature of the exploit, how it was specific to the Near blockchain and why it won’t affect HBAR or any of Stader’s other liquid staking solutions.

Context
To understand the exploit we need to understand an aspect particular to NEAR.

Most blockchains have a token standard and reference implementation of that standard (HTS in the case of HBAR). Near has prescribed token specifications for NEP 141, but the implementation as per specifications was to be done by Stader itself. This is a regular process followed by each protocol on Near.

What happened
Our token implementation for NearX (Stader’s liquid staking token on Near) was where the bug was exploited. A specific edge case in the implementation of the token standard by Stader led to the bug that resulted in the exploit. The malicious actor was able to build up a large position in NearX without staking or interacting with the staking contract. The attacker then went on to drain liquidity on the DEX pools. Our monitoring systems caught the issue and we paused the NearX contract to limit the damage.

It bears noting that our staking contract which controls the workflows and staked funds had no issues and staked Near remained and remains safe.

Resolution:
Stader has announced that we will revert NearX back to a pre-attack state and make the affected users whole by covering the ~165k Near losses. You can read the announcement here

Why can this not happen on HBAR?

1. Reference HTS token implementation- Hedera has a battle-tested reference implementation of the HTS token that Stader and other protocols use. This implementation has been tested over millions of transactions, across multiple protocols and is thus very robust.
2. HBAR solution is on a different tech stack: None of the code for our Near solution (token or staking contract) is reused in HBARX implementation — Near is based on Rust while Hedera is an EVM compatible chain.

Additionally, our HBAR staking implementation has been stress tested across several months, with 86k+ transactions and 12k+ users. As a precaution, we continue to work with security experts to stress test all our contracts.

As always we thank you, the Hedera community, for your support. Feel free to reach out to us on our Telegram channel. We will also, be hosting AMAs over the coming days to provide more details and answer your queries.