By exploiting a bug, the attacker caused liquidity to be “double-counted,” allowing them to get an unfair price for a swap.
The attacker who drained $46 million from KyberSwap relied on a “complex and carefully engineered smart contract exploit” to carry out the attack, according to a social media thread by Ambient exchange founder Doug Colkitt.
Colkitt labeled the exploit an “infinite money glitch.” According to him, the attacker took advantage of a unique implementation of KyberSwap’s concentrated liquidity feature to “trick” the contract into believing it had more liquidity than it did in reality.
1/ Finished a preliminary deep dive into the Kyber exploit, and think I now have a pretty good understanding of what happened.
This is easily the most complex and carefully engineered smart contract exploit I've ever seen…
— Doug Colkitt (@0xdoug) November 23, 2023
Most decentralized exchanges (DEXs) provide a “concentrated liquidity” feature, which allows liquidity providers to set minimum and maximum prices at which they would offer to buy or sell crypto. According to Colkitt, this feature was used by the KyberSwap attacker to drain funds. However, the exploit “is specific to Kyber’s implementation of concentrated liquidity and probably will not work on other DEXs,” he said.
The KyberSwap attack consisted of several exploits against individual pools, with each attack being nearly identical to every other, Colkitt said. To illustrate how it worked, Colkitt considered the exploit of the ETH/wstETH pool on Ethereum. This pool contained Ether (ETH) and Lido Wrapped Staked Ether (wstETH).
The attacker began by borrowing 10,000 wstETH (worth $23 million at the time) from flash loan platform Aave, as shown in blockchain data. According to Colkitt, the attacker then dumped $6.7 million worth of these tokens into the pool, causing its price to collapse to 0.0000152 ETH per 1 wstETH. At this price point, there were no liquidity providers willing to buy or sell, so liquidity should have been zero.
The attacker then deposited 3.4 wstETH and offered to buy or sell between the prices of 0.0000146 and 0.0000153, withdrawing 0.56 wstETH immediately after the deposit. Colkitt speculated that the attacker may have withdrawn the 0.56 wstETH to “make the subsequent numerical calculations line up perfectly.”
After making this deposit and withdrawal, the attacker performed a second and third swap. The second swap pushed the price to 0.0157 ETH, which should have deactivated the attacker’s liquidity. The third swap pushed the price back up to 0.00001637. This, too, was outside of the price range set by the attacker’s own liquidity threshold, as it was now above their maximum price.
Theoretically, the last two swaps should have accomplished nothing, as the attacker was buying and selling into their own liquidity, since every other user had a minimum price set far below these values. “In the absence of a numerical bug, someone doing this would just be trading back and forth with their own liquidity,” Colkitt stated, adding, “and all the flows would net out to zero (minus fees).”
However, due to a peculiarity of the arithmetic used to calculate the upper and lower bound of price ranges, the protocol failed to remove liquidity in one of the first two swaps but also added it back during the final swap. As a result, the pool ended up “double counting the liquidity from the original LP position,” which allowed the attacker to receive 3,911 wstETH for a minimal amount of ETH. Although the attacker had to dump 1,052 wstETH in the first swap to carry out the attack, it still enabled them to profit by 2,859 wstETH ($6.7 million at today’s price) after paying back their flash loan.
The attacker apparently repeated this exploit against other KyberSwap pools on multiple networks, eventually getting away with a total of $46 million in crypto loot.
Related: HTX exchange loses $13.6M in hot wallet hack: Report
According to Colkitt, KyberSwap contained a failsafe mechanism within the computeSwapStep function that was intended to prevent this exploit from being possible. However, the attacker managed to keep the numerical values used in the swap just outside of the range that would cause the failsafe to trigger. As Colkitt stated:
“The ‘reach quantity’ was the upper bound for reaching the tick boundary was calculated as …22080000, whereas the exploiter set a swap quantity of …220799999. That shows just how carefully engineered this exploit was. The check failed by <0.00000000001%.”
Colkitt called the attack “easily the most complex and carefully engineered smart contract exploit I’ve ever seen.”
As Cointelegraph reported, KyberSwap was exploited for $46 million on Nov. 22. The team discovered a vulnerability on April 17, but no funds were lost in that incident. The exchange’s user interface was also hacked in September 2022, although all users were compensated in that incident. The Nov. 22 attacker has informed the team they are willing to negotiate to return some of the funds.
