Ted Hisokawa
Jun 16, 2026 17:58
Fireblocks detected and mitigated vital zero-day flaws in SWEAT and HOT contracts on NEAR, safeguarding 22M customers from potential multi-million greenback losses.
Fireblocks has revealed its position in figuring out and mitigating two vital zero-day vulnerabilities that might have price NEAR Protocol customers hundreds of thousands of {dollars}. The failings have been found within the contracts of SWEAT, a token powering the Sweat Financial system ecosystem, and HOT, a Web3 governance token with over 22 million holders.
In late April 2026, Fireblocks’ blockchain monitoring flagged uncommon transactions on NEAR involving SWEAT tokens. Attackers have been draining wallets with out requiring non-public keys, phishing hyperlinks, or person signatures. One sufferer alone misplaced 8.5 million SWEAT tokens in a single exploit, valued at $170,000 to $250,000. The issue stemmed from a lacking safety guard within the ft_resolve_transfer callback operate, which refunded token balances with out verifying the caller’s id.
The exploit leveraged NEAR’s token normal (NEP-141), which makes use of ft_resolve_transfer to refund unused balances. In SWEAT’s implementation, this operate lacked NEAR’s #[private] macro, leaving it uncovered to public calls. Attackers exploited the flaw by crafting a malicious contract that tricked the system into issuing refunds on to their wallets. The consequence: hundreds of thousands of tokens drained from victims’ accounts.
HOT Contract Flaw Uncovered
After patching SWEAT’s vulnerability, Fireblocks launched a broader investigation throughout NEAR’s ecosystem. Their proactive search uncovered the identical flaw in HOT, a governance token with over 22 million holders. The potential penalties have been extreme—attackers may have exploited the identical “empty refund” logic to mint limitless HOT tokens or drain person balances. Fireblocks reported the difficulty to HOT’s maintainers, who deployed a patch the identical day.
The stakes have been huge. HOT’s ecosystem helps over 35 million customers and a whole bunch of hundreds of thousands of token transfers. A profitable exploit may have triggered large monetary losses and eroded confidence in NEAR’s infrastructure.
Broader Implications for Web3 Safety
Fireblocks’ swift motion highlights the rising stakes in blockchain safety. As AI instruments speed up the tempo of code evaluation, attackers can determine vulnerabilities in reside contracts sooner than ever. The identical instruments, nevertheless, can empower defenders to search out and repair flaws earlier than exploits happen.
For protocols like SWEAT, the results of such vulnerabilities should not simply monetary. SWEAT is a cornerstone of Sweat Financial system, a move-to-earn ecosystem that incentivizes bodily exercise via token rewards. The April 2026 exploit, which drained 13.71 billion SWEAT tokens (65% of provide), underscored the necessity for sturdy contract safety. Though person balances have been restored, the incident highlighted the fragility of token ecosystems reliant on sensible contract integrity.
As of June 16, 2026, SWEAT trades at $0.00071807, reflecting a 0.04481% decline within the final 24 hours. Its market cap stands at $8.93 million, underscoring the token’s restoration efforts post-exploit. HOT, in the meantime, prevented the same disaster because of Fireblocks’ intervention, preserving its ecosystem’s stability.
For Web3 builders, the lesson is evident: safety can’t be an afterthought. Because the arms race between attackers and defenders intensifies, proactive measures and rigorous audits are vital to safeguarding person belongings and ecosystem belief.
Picture supply: Shutterstock