In a focused exploit, decentralized alternate (DEX) aggregator and liquidity protocol KyberSwap, which serves as the primary protocol within the Kyber Community’s liquidity hub, suffered a big safety breach.
On November 23, 2023, KyberSwap was attacked, ensuing within the theft of roughly $54.7 million, in accordance to intelligence offered by the SlowMist Safety Crew. Now, greater than seven days after the preliminary assault, the hacker has issued daring and audacious calls for.
Important Vulnerability In Liquidity Administration System
The assault concerned a collection of meticulously deliberate steps. The attacker started by borrowing 2000 Wrapped Ether (WETH) via a flash mortgage from the AAVE protocol.
With 6.8496 WETH, the attacker performed a swap for frax Ether (frxETH) within the KyberSwap pool, deliberately inflicting the frxETH value to exceed the vary of all liquidity suppliers’ positions.
Subsequently, the attacker added liquidity of 0.006948 frxETH and 0.1078 WETH inside a specified value vary. Manipulating the liquidity quantity inside this vary to be 74692747583654757908, the attacker strategically managed the liquidity to align with their subsequent assault phases.
The attacker then utilized 387.17 WETH to swap for 0.005789 frxETH, considerably growing the present value worth. Lastly, the attacker carried out a reverse swap, exchanging 0.005868 frxETH for 396.2 WETH at a value barely larger than the sq. root Worth (sqrtP) of tick 111310.
The attacker profited from the reverse swap by benefiting from this manipulation, buying roughly 9 extra WETH than initially exchanged within the ahead swap.
Based on the SlowMist workforce, the assault’s root trigger was the miscalculation of the required token quantities for exchanges primarily based on present and boundary tick costs.
Because of KyberSwap Elastic’s Reinvestment Curve, the liquidity inadvertently elevated because of compounded charges, leading to a calculated quantity bigger than anticipated. This extra liquidity coated the consumer’s alternate wants, however the precise value had already crossed the boundary tick.
Consequently, KyberSwap did not replace the liquidity, resulting in a duplication of liquidity enhance in the course of the reverse alternate throughout the boundary tick. This flaw allowed the attacker to acquire extra tokens than initially anticipated.
KyberSwap Should Yield Authority And Property
In an sudden flip of occasions, the hacker issued a second on-chain message on November 30, following an preliminary message on November 28.
The calls for embrace full govt management over KyberSwap, momentary full authority and possession over the governance mechanism (KyberDAO) to enact legislative modifications, and give up of all belongings encompassing shares, fairness, and tokens.
The hacker additionally guarantees a buyout of executives at a good valuation, a doubling of worker salaries beneath the brand new regime, and a 12-month severance bundle with full advantages for workers who select to depart.
Moreover, the hacker addresses token holders and traders, assuring them that their tokens will regain worth beneath the proposed treaty. The hacker even pledges to remodel Kyber into a completely new crypto mission, surpassing its present rating because the seventh hottest DEX.
Liquid pool (LP) contributors will even obtain a rebate overlaying 50% of their latest market-making losses. The hacker has set a agency deadline of December tenth for his calls for to be met, claiming that he may be contacted through Telegram with the deal with “@Kyber_Director.”
The following steps for the protocol’s leaders stay unsure as they grapple with the most recent developments and the pressing want to handle them inside a timeframe of simply over 10 days, with no official response to the hacker as of this writing.
Featured picture from Shutterstock, chart from TradingView.com