KyberSwap, a decentralized exchange (DEX), suffered a cyber attack on November 22, resulting in about $54.7 million in digital assets stolen. This hack was remarkable in its scale and impact across various blockchain networks. KyberSwap advised its users to withdraw their funds from the DEX as a precautionary measure.
The attack led to the theft of various crypto assets, including around $20 million in Wrapped Ether (wETH), $7 million in wrapped Lido-staked Ether (wstETH), and $4 million in Arbitrum (ARB), distributed across Arbitrum, Optimism, Ethereum, Polygon and Base, according to Debank.
KyberSwap experienced a drastic 91% drop in its total value locked (TVL) in the aftermath of the hack, from around $80 million to $7.27 million at the time of writing. This was primarily due to the attack, although has been compounded by subsequent user withdrawals in response to the news.
Doug Colkitt, DEX Ambient founder, analyzed the hack in a 30-part tweet. He stated that the hacker targeted multiple cross-chain deployments of KyberSwap, aimed explicitly at the Kyber Elastic pools. The attacker utilized an 'infinite money glitch', borrowing a substantial amount of wstETH from Aave and then manipulating the price in the ETH/wstETH pool on Ethereum. This was achieved by strategically depositing and withdrawing tokens to exploit a numerical bug in the liquidity calculation. Despite KyberSwap having a failsafe mechanism, the attacker carefully crafted transactions to avoid triggering this safeguard.
1/ Finished a preliminary deep dive into the Kyber exploit, and think I now have a pretty good understanding of what happened.
— Doug Colkitt (@0xdoug) November 23, 2023
This is easily the most complex and carefully engineered smart contract exploit I've ever seen...
The attacker teased the possibility of negotiations in the notes of one transaction, an increasingly common communication trend in DeFi exploits. KyberSwap subsequently offered a 10% bounty for the return of the user funds, with a deadline of November 25.
However, in a message sent on-chain on November 28, the unidentified attacker set November 30 as the date they would outline a 'treaty', warning that ongoing "threats" and "general unfriendliness" from KyberSwap's side could delay the negotiations.
"I said I was willing to negotiate. In return, I have received (mostly) threats, deadlines, and general unfriendliness from the executive team. That’s ok, I don’t mind. I have prepared a statement concerning our (potential) treaty. I plan to release it on Nov. 30 at Noon UTC, sharp."
The DEX announced on November 26 that some of the funds had been returned and that their team was communicating with the owners of the frontrun bots responsible for the attack on the DEX's pools on Polygon and Avalanche.
The KyberSwap team has been in contact with the owners of the frontrun bots that extracted about $5.7M* worth of funds from KyberSwap pools on Polygon and Avalanche during the exploit.
— Kyber Network (@KyberNetwork) November 26, 2023
We have negotiated with the owners of the frontrun bots to return 90% of the users’ funds taken…
Victor Tran, the CEO and co-founder of KyberSwap, took to X to share that he will continue working with law enforcement to fight such attacks and return the stolen funds to their owners. He also announced that Kyber Elastic will no longer operate.
It's been a few days since the exploit attack, and I finally have the time and bandwidth to communicate. I remain fully dedicated to doing everything in my power, alongside the team, to support efforts to bring the attackers to justice.
— Victor Tran (@vutran54) November 26, 2023
I've been pushing @KyberNetwork since…
"Supporting the track down of the attacker and recovery of users' funds is my top priority from this point onward and will continue to be until every user has been made whole."
We await to Observe the hackers demands.
