Exploit of KyberSwap’s Concentrated Liquidity Feature Results in $46 Million Loss

On November 23, 2023, the decentralized finance (DeFi) space was shaken by a meticulously planned exploit of KyberSwap, a leading decentralized exchange (DEX). The exploit, which Doug Colkitt, creator of Ambient exchange, characterized as “the most complex and carefully engineered” he had ever seen, resulted in a loss of approximately $46 million.

To grasp the exploit’s intricacy, one must first understand ‘concentrated liquidity.’ This feature, common across DEXs like KyberSwap, Uniswap, and Ambient, allows liquidity providers to allocate their assets within specific price ranges, enhancing capital efficiency. However, this mechanism also introduces unique vulnerabilities, as exploited in this incident.

The attacker’s strategy revolved around the Ethereum ETH/wstETH pool on KyberSwap. Starting with a flash loan of 10,000 wstETH (worth about $23 million), the attacker manipulated the pool’s price dynamics. By injecting 2,800 wstETH ($6 million) into the pool, they significantly skewed the ETH to wstETH price ratio. This action moved the pool’s price to a range with virtually no existing liquidity, setting the stage for the exploit.

With the pool’s price artificially altered, the attacker then minted a small amount of liquidity in a narrowly defined price range. Following this, they executed two crucial swaps. The first swap involved selling a large quantity of wstETH for a minimal amount of ETH, drastically pushing the price down. The second swap reversed this, buying back a more significant amount of wstETH for a fractionally higher amount of ETH. This series of transactions should have, under normal circumstances, resulted in negligible net gains due to the self-contained nature of the trades.

However, due to a mathematical flaw in KyberSwap’s contract, these trades did not net out as expected. The contract failed to accurately account for the liquidity changes during these swaps, leading to a misrepresentation of the available liquidity. This flaw enabled the attacker to extract far more wstETH than they initially deposited, effectively creating an “infinite money glitch.”

The critical point of failure was the contract’s handling of the updateLiquidityAndCrossTick function. During the first swap, this function, which adjusts the curve’s liquidity value based on the LP range positions at a given price tick, was not invoked correctly. As a result, the pool’s liquidity was not accurately updated, allowing the attacker to exploit this oversight to their advantage. The precise manipulation of swap quantities and prices indicates a deep understanding of the underlying contract mechanics by the attacker.

This incident has profound implications for the DeFi ecosystem, particularly concerning the security of smart contracts. While Colkitt noted that this exploit is specific to Kyber’s implementation and does not necessarily pose a threat to other DEXs with concentrated liquidity, it underscores the need for more rigorous security measures and vulnerability assessments in DeFi protocols. The precision and sophistication of the attack also highlight the evolving nature of threats in the DeFi space.

The KyberSwap exploit serves as a stark reminder of the complexities and vulnerabilities inherent in DeFi. It underscores the importance of continuous security audits and the need for the DeFi community to remain vigilant against such sophisticated attacks. As DeFi continues to grow and evolve, so too must the security measures that protect its infrastructure and users.

Image source: Shutterstock


Tagged : / / / / / / / / /

Two Suspects Uncovered by Binance in Connection to KyberSwap Frontend Attack

Binance might have successfully uncovered the brains behind the KyberSwap frontend hack, which was perpetrated last Thursday.


Largest cryptocurrency exchange by market trading volume, Binance has independently identified two individuals suspected to be the bad actors behind the KyberSwap scam, which led to the loss of over $265,000 in cryptocurrencies belonging to users. CEO Changpeng ‘CZ‘ Zhao took to his Twitter page to announce the hack.

On Thursday, 1st September, the decentralized finance (DeFi) exchange platform KyberSwap noticed suspicious activities on its front end and had to shut it down to conduct investigations. Upon completing the investigations, Kyber Network discovered malware had been introduced into its servers. Specifically, a malicious code was sent into its Google Tag Manager (GTM). 

The code initiated false approvals, which in turn led to the loss of $265,000 in users’ funds. Notably, the target of the malicious code was whale accounts with huge amounts of funds in them. 

KyberSwap, which was initially disabled, came back online after less than two hours following a series of checks which ascertained that the bad script had been pulled out. The DeFi exchange scrutinized its front end to decipher the extent of the damage done, the affected wallet addresses, and the attacker’s address.

Big Brother Binance Steps in For Troubled Crypto Firms

As compensation, KyberSwap promised the scammers about 15% or approximately $40,000 of the hijacked funds if it is returned. Helping in the investigation, the Binance security team sent its intel to the Kyber Network team and has now started coordinating with law enforcement agencies. 

This will not be the first time the largest exchange is stepping in to help other troubled crypto firms salvage their platforms. Markedly, Binance helped to recover about $5.8 million from the $625 million stolen from the Axie Infinity’s Ronin Bridge when it was attacked a few months ago.

All things considered, Binance is recognized for showing proactiveness and offering selfless effort to help investors. 

A community member attested to this when he said, “Binance is now playing the role of a big brother in the crypto space. Binance has gone beyond securing its platform to securing the entire crypto ecosystem.”

Image source: Shutterstock


Tagged : / / /

Hacker Steals $265,000 in User Funds from KyberSwap

KyberSwap announced that $265,000 in user funds were stolen after a hacker exploited the multichain DEX aggregator’s front end.


The company confirmed the hacking incident, followed by announcing that compensation would be made to the victims of the attack. A 15% bounty will be released for the hacker if all the funds are returned and if the hacker speaks directly with the KyberSwap team.

According to the details released from KyberSwap, the hacker exploited the code initially at approximately 2:30 am EST. “We identified a malicious code in our Google Tag Manager (GTM) which inserted a false approval, allowing a hacker to transfer a user’s funds to his address,” the company said in its official notice.

The notice further explained that the hacker had discreetly injected the script to target whale wallets with large amounts specifically.

Following investigations, the company was able to neutralize the exploit within two hours.

The company has also urged users to proceed with using its platform with caution for the time being.

However, the attack on KyberSwap was comparatively smaller than other recent attacks on DeFi projects, which have seen numerous multimillion-dollar thefts of users’ funds.

However, it does highlight the wide range of ways DeFi users are vulnerable to attacks.

Image source: Shutterstock


Tagged : / / / / /
Bitcoin (BTC) $ 44,017.79 1.21%
Ethereum (ETH) $ 2,369.45 4.70%
Litecoin (LTC) $ 76.16 4.38%
Bitcoin Cash (BCH) $ 249.49 2.04%