Nov 23, 2023 Alexander Chelpanov
Exclusive Insight: Unraveling the November 2023 KyberSwap Hack
On November 23, 2023, KyberSwap, a notable decentralized exchange (DEX), experienced a highly sophisticated and carefully orchestrated cyber attack. This article aims to dissect the intricacies of this cyber heist, providing an all-encompassing and detailed examination of the events, methods, and consequences of the exploit.
What Happened in the KyberSwap Hack?
KyberSwap, part of the Kyber Network, fell victim to a cyber attack, leading to a staggering loss of approximately $46 million in various crypto assets. This incident was first reported by the Kyber Network team on X(Twitter), urging users to withdraw their funds as a precautionary measure.
🚨Urgent🚨
— Kyber Network (@KyberNetwork) November 22, 2023
Dear KyberSwap Elastic Users,
We regret to inform you that KyberSwap Elastic has experienced a security incident.
As a precautionary measure, we strongly advise all users to promptly withdraw their funds. Our team is diligently investigating the situation, and we…
How Did the KyberSwap Exploit Occur?
The exploit leveraged a flaw in KyberSwap’s concentrated liquidity feature. The attacker manipulated the contract, causing it to miscalculate liquidity levels. This led to the attacker being able to drain substantial funds from the exchange by executing a series of complex transactions.
What Assets Were Stolen in the KyberSwap Hack?
The attack resulted in the theft of a diverse portfolio of assets, including $20 million in Wrapped Ether (wETH), $7 million in wrapped Lido-staked Ether (wstETH), and $4 million in Arbitrum (ARB). The funds were distributed across multiple blockchains, such as Arbitrum, Optimism, Ethereum, Polygon, and Base.
How Did the KyberSwap Attacker Execute the Exploit?
A detailed analysis by DeFi expert Doug Colkitt reveals the attacker used what he termed an “infinite money glitch.” The attacker initially borrowed a significant amount of wstETH from Aave, then manipulated the price in the ETH/wstETH pool on Ethereum. This was achieved by strategically depositing and withdrawing tokens to exploit a numerical bug in the liquidity calculation.
1/ Finished a preliminary deep dive into the Kyber exploit, and think I now have a pretty good understanding of what happened.
— Doug Colkitt (@0xdoug) November 23, 2023
This is easily the most complex and carefully engineered smart contract exploit I've ever seen...
What Enabled the KyberSwap November 2023 Exploit?
The KyberSwap exploit, meticulously analyzed by Doug Colkitt, founder of Ambient Finance, stands out for its complexity and precision in manipulating smart contract vulnerabilities. This section delves deeper into the technical nuances that allowed the attacker to execute this intricate exploit.
How Did the Attacker Manipulate KyberSwap’s Liquidity Calculations?
- Specificity to Kyber’s Implementation: The exploit was uniquely tailored to KyberSwap's specific implementation of concentrated liquidity. This meant that while similar DeFi platforms had no inherent vulnerability to this exploit, any forks of Kyber were at risk.
- Targeting the ETH/wstETH Pool: The attacker focused on the Ethereum pool containing Ether and Lido Wrapped Staked Ether (wstETH). This was the first pool drained, setting the stage for subsequent attacks on other pools.
- Using Flash Loans for Price Manipulation: The attacker began by borrowing a significant amount of wstETH via a flash loan. They then dumped a portion of these tokens into the pool, causing a drastic price drop. This step was crucial in moving the pool price to a point on the liquidity curve where there were no existing liquidity positions, essentially creating a "clean slate" for the exploit.
- Liquidity Minting and Burning: The attacker minted a small amount of wstETH liquidity within a very specific price range and then burned a portion of it. This step seems to have been instrumental in aligning the numerical values for the subsequent steps of the exploit.
- Executing Precise Swaps: Two swaps were carried out around the manipulated price point. Ordinarily, such actions would result in no net gain due to the absence of external liquidity, but the exploit manipulated the system to bypass this.
- Exploiting a Numerical Bug: The crux of the exploit lay in a numerical bug within KyberSwap's smart contract. The exploit involved avoiding the triggering of a function ('updateLiquidityAndCrossTick') during the first swap, which was crucial for correctly adjusting liquidity values when crossing price boundaries. By manipulating the swap values to narrowly avoid triggering this function, the attacker prevented the liquidity from being correctly removed from the system.
- The Infinite Money Glitch: In the final step of the exploit, as the attacker moved back into the liquidity range, they ensured the triggering of the function, adding liquidity back into the system. Since the liquidity was never correctly removed in the first place, this resulted in the system double-counting the original liquidity, leading to what Colkitt described as an "infinite money glitch."
What Was the Impact of the KyberSwap Hack on the KNC Token?
Following the attack, the value of Kyber Network Crystal (KNC) tokens initially dropped by 7% but later stabilized. At the time of writing this article, the price of KNC stands at $0.72 - roughly the same level as before the incident.
What Were the Security Measures in Place and How Did the Attack Bypass Them?
KyberSwap had implemented a failsafe mechanism within their computeSwapStep function to prevent such exploits. However, the attacker meticulously crafted their transactions to narrowly avoid triggering this failsafe.
What’s Next?
Following the exploit, KyberSwap made sure to assure its users that only the KyberSwap Elastic feature was affected and its aggregator was operating as normal. Additionally, users were warned not to click on any links or respond to DMs from social media profiles with the name of the platform. No more details have been officially released so far, and there have been no plans for action announced publicly - a common practice in the early hours past similar incidents. DeFi Teller will continue to monitor the topic and will inform its readers about any major developments.