KyberSwap Vulnerability Appears Due To Elastic Function Leads To $46M In Losses

Key Points:

• KyberSwap Elastic recently experienced an attack resulting in the misappropriation of around $46 million in various cryptocurrencies.
• CertiK identified a KyberSwap vulnerability in the computeSwapStep() function, allowing the attacker to strategically deplete pools with low liquidity.
• The KyberSwap team responded to the attacker, offering a 10% reward for the return of the stolen assets.

In a recent incident, KyberSwap Elastic, a decentralized exchange, fell victim to an attack resulting in the misappropriation of approximately $46 million in various cryptocurrencies.

KyberSwap Vulnerability: Exploitation of Elastic’s Weakness

Blockchain security firm CertiK identified a KyberSwap vulnerability, specifically in the computeSwapStep() function’s implementation. This function, responsible for calculating exchange input/output amounts, fees, and sqrtP, erroneously generated a slightly larger price than the targetSqrtP due to a miscalculation in the calcFinalPrice call.

The attacker exploited this KyberSwap vulnerability by performing precise calculations within the empty scale range of the liquidity pool. By strategically utilizing cross-exchange liquidity counts, they managed to deplete KyberSwap pools containing low liquidity, leading to the successful attack.

The stolen funds, totaling $46 million, have been dispersed across various chains, including Arbitrum, Optimism, Ethereum, Polygon, and Base. Blockchain investigator “Spreek” clarified that the issue is not related to approvals but pertains to the total value locked (TVL) in Kyber’s liquidity pools.

KyberSwap Team Offers Reward and Urges Hacker’s Cooperation

In response to the attack, the KyberSwap team directly engaged with the hacker, offering a 10% reward, approximately $4.7 million, for the return of the stolen assets.

KyberSwap co-founder Victor Tran urged the attacker to refund 90% of the hacked amount to a specified wallet address before 06:00 AM on November 25 UTC.

DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.