Kyber Network Advises Removal of Funds Amid Potential Vulnerability

Kyber Network, the developer of the Kyberswap Elastic decentralized crypto exchange, has announced a potential vulnerability in the exchange’s contracts. While no funds have been lost, the developer has advised liquidity providers to remove their funds as a precaution. Kyberswap Classic smart contracts do not contain the vulnerability, according to the Kyber Network team.

KyberSwap Elastic is a decentralized exchange that allows liquidity providers to provide “concentrated liquidity” by deciding a price ceiling and price floor for the tokens they deposit into the pool. If the price moves below the floor or above the ceiling, LPs no longer receive fees. However, they receive higher fees if the price stays within the range they have set.

In response to the potential vulnerability, farming rewards have been temporarily suspended until a new smart contract can be deployed. All rewards earned prior to April 18, 2023, 11pm (GMT+7) have already been dispersed and are unaffected by this pause. The developer has stated that it will update the community soon with an explanation as to when funds can be safely deposited back into the protocol.

This is not the first time Kyberswap has faced security issues. In September, the user interface for Kyberswap was hacked, resulting in an attacker getting away with $265,000 worth of crypto.

It is important for users to stay vigilant and follow the developer’s advice to remove funds as a precautionary measure. The Kyber Network team is working on a solution and will keep the community updated as the situation develops. In the meantime, users can monitor the situation closely and refrain from depositing any funds until the issue has been resolved.

In the broader context of decentralized finance (DeFi), security risks are always present, and it is crucial for developers to take appropriate measures to mitigate these risks. With the growing popularity of DeFi, security will continue to be a key concern for investors and users alike. As the industry evolves, it is important for developers to prioritize security measures and work together with the community to build trust in these platforms.


Tagged : / / / / /

Rogue Validator Outsmarts MEV Bots, Resulting in a $25 Million Loss

In a recent incident, MEV bots attempting sandwich trades suffered a massive loss of $25 million in digital assets due to a rogue validator. The bots were trying to execute sandwich transactions, which involves intercepting a trader’s transaction to profit from it. However, as the bots began to swap millions, the reverse transactions were replaced by a validator who went rogue, resulting in significant losses.

The losses included $1.8 million in Wrapped Bitcoin (WBTC), $5.2 million in USD Coin (USDC), $3 million in Tether (USDT), $1.7 million in Dai (DAI), and $13.5 million in Wrapped Ether (WETH). At the time of writing, most of the funds had been transferred to three different wallets.

In a Twitter thread, blockchain security firm CertiK explained that the vulnerability was due to the centralization of power with validators. As the MEV bots tried to perform front-run and back-run transactions for profit, the rogue validator swooped in to back-run the MEV’s transaction, resulting in significant losses.

The attack highlights the risks associated with MEV bots, despite their potential to earn vast amounts of digital assets. MEV bots have become increasingly popular in the crypto market, as they can execute complex trading strategies with speed and accuracy. However, they are also vulnerable to hacks and exploits, as seen in previous incidents.

CertiK warned that this attack could affect other MEV searchers conducting strategies such as sandwich trading. The team noted that there is a possibility that MEV searchers may become wary of non-atomical strategies due to this exploit.

The CertiK team emphasized the need for greater decentralization to reduce the vulnerability of validators to such attacks. This incident underscores the importance of blockchain security and the need for continuous monitoring and upgrading of security protocols to prevent such incidents.

In conclusion, the attack on MEV bots attempting sandwich trades by a rogue validator resulted in significant losses of $25 million worth of digital assets. The vulnerability was due to the centralization of power with validators, highlighting the need for greater decentralization to reduce the risks associated with such attacks. This incident underscores the importance of blockchain security and the need for continuous monitoring and upgrading of security protocols to prevent such incidents.


Tagged : / / / / / /

THORChain Pauses Network Amid Reports of Vulnerability

THORChain is a decentralized cross-chain liquidity protocol that enables users to swap assets between different blockchain networks without needing centralized exchanges. The platform, founded in 2018, currently offers swaps between eight different chains, including Bitcoin, Ethereum, and Litecoin.

On March 28, THORChain announced that it had temporarily paused all trading due to reports of a potential vulnerability with a THORChain dependency that could impact the network. The decision was made as a precautionary measure while the reports were verified, according to THORChain. Social media reports had indicated that THORChain’s liquidity platform, Nine Realms, and its dedicated security team, THORSec, had received “credible reports” of a possible vulnerability affecting THORChain. As a result, the THORChain network was halted globally.

“Network preemptively paused by NO’s to investigate the report; updates will follow,” Nine Realms tweeted.

THORChain’s native token, Rune (RUNE), has dropped about 5% in value following the news, according to CoinGecko data. As of this writing, the token is trading at $1.32, down 18% over the past 30 days.

This is not the first time that THORChain has had to pause its network due to issues. In October 2022, the network was paused due to a software bug that caused “non-determinism between individual nodes.” After 20 hours of maintenance, the network was fully functional once again.

In 2021, THORChain also had to halt its network after suffering a breach, resulting in hackers stealing $7.6 million worth of cryptocurrency assets.

After about eight hours of the initial announcement, THORChain updated its Twitter account, stating that the vulnerability was credible but would require a malicious node in the last churn, which is when new nodes are added to the network. THORChain has resumed trading as no nodes can exploit the current vulnerability, according to the update.

In conclusion, THORChain’s temporary network pause due to a potential vulnerability serves as a reminder of the risks associated with decentralized protocols. While such protocols offer many benefits, they can also be susceptible to security vulnerabilities and breaches. THORChain’s quick response and resolution to the situation demonstrate the importance of having a dedicated security team and protocol in place to handle potential issues swiftly and efficiently.


Tagged : / / / / /

Euler Finance suffers $197M DeFi hack

Euler Finance, a DeFi lending protocol, suffered a flash loan attack on March 13, resulting in the biggest hack of crypto in 2023 so far. The lending protocol lost nearly $197 million in the attack, impacting more than 11 other DeFi protocols as well. Euler Finance disabled the vulnerable etoken module and vulnerable donation function to block deposits.

On March 14, Euler Finance updated its users on the situation and notified them of the disabled features. The firm stated that it works with various security groups to perform audits of its protocol, and the vulnerable code was reviewed and approved during an outside audit. However, the vulnerability remained on-chain for eight months until it was exploited, despite a $1 million bug bounty in place.

Sherlock, an audit group that has worked with Euler Finance in the past, verified the root cause of the exploit and helped Euler submit a claim. The audit protocol later voted on the claim for $4.5 million, which passed, and later executed a $3.3 million payout on March 14.

In its analysis report, the audit group noted a significant factor for the exploit: a missing health check in “donateToReserves,” a new function added in EIP-14. However, the protocol stressed that the attack was still technically possible even before EIP-14.

Sherlock noted that the Euler audit by WatchPug in July 2022 missed the critical vulnerability that eventually led to the exploit in March 2023. Euler has also reached out to leading on-chain analytic and blockchain security firms, such as TRM Labs, Chainalysis, and the broader ETH security community, in a bid to help them with the investigation and recover the funds.

Euler Finance has notified that they are also trying to contact those responsible for the attack in order to learn more about the issue and possibly negotiate a bounty to recover the stolen funds. The incident highlights the need for regular audits of DeFi protocols to detect vulnerabilities and prevent hacks. As DeFi continues to grow and attract more users, security and reliability will become even more critical for the industry’s success.


Tagged : / / / / /

SushiSwap denies reports of billion dollar bug

The developer behind popular decentralized exchange SushiSwap has rejected a purported vulnerability reported by a white-hat hacker snooping through their smart contracts.

According to media reports, the hacker claimed to have identified a vulnerability that could place more than $1 billion worth of user funds under threats, stating they went public with the information after attempts to reach out to SushiSwap’s developers resulted in inaction.

The hacker claims to have identified a “vulnerability within the emergencyWithdraw function in two of SushiSwap’s contracts, MasterChefV2 and MiniChefV2” — contracts that govern the exchange’s 2x reward farms and the pools on SushiSwap’s non-Ethereum deployments such as Polygon, Binance Smart Chain and Avalanche.

While the emergencyWithdraw function allows liquidity providers to immediately claim their LP tokens while forfeiting rewards in the event of an emergency, the hacker claims the feature will fail if no rewards are held within the SushiSwap pool — forcing liquidity providers to wait for the pool to be manually refilled over a roughly 10-hour process before they can withdraw their tokens.

“It can take approximately 10 hours for all signature holders to consent to refilling the rewards account, and some reward pools are empty multiple times a month,” the hacker claimed, adding:

“SushiSwap’s non-Ethereum deployments and 2x rewards (all using the vulnerable MiniChefV2 and MasterChefV2 contracts) hold over $1 billion in total value. This means that this value is essentially untouchable for 10-hours several times a month.” 

However, SushiSwap’s pseudonymous developer has taken to Twitter to reject the claims, with the platform’s “Shadowy Super Coder Mudit Gupta stressing that the threat described “is not a vulnerability” and that “no funds are at risk.”

Gupta clarified that “anyone” can top up the pool’s rewarder in the event of an emergency, bypassing much of the 10-hour multi-sig process the hacker claimed is needed to replenish the rewards pool. They added:

“The hacker’s claim that someone can put in a lot of lp to drain the rewarder faster is incorrect. Reward per LP goes down if you add more LP.”

Related: SushiSwap’s token launchpad, MISO, hacked for $3M

The hacker said they had bee instructed to report the vulnerability on bug bounty platform Immunefi — where SushiSwap is offering to pay rewards of up to $40,000 to users that report risky vulnerabilities in their code — after they first reached out to the exchange.

They noted that the issue was closed on Immunefi without compensation, with SushiSwap stating they were aware of the matter described.