KyberSwap Loses $49,000,000 During Cyberattack
Summary #
On November 22, 2023, KyberSwap, a decentralized finance platform, experienced a sophisticated exploit resulting in a loss of approximately $49,000,000. The attack involved manipulating the platform’s smart contract through complex transactions. The attacker used flash loans to manipulate token prices, which enabled them to exploit a numerical anomaly in the smart contract. This allowed the attacker to double-count liquidity and withdraw substantial funds. Despite KyberSwap having failsafe mechanisms, the attacker skillfully avoided triggering these protections.
Attackers #
The perpetrator has yet to be identified. The following addresses were used in the attack:
Timeline #
- November 22, 2023, 12:21 PM UTC: Initial transactions occur.
- November 22, 2023, 11:52 PM UTC: KyberSwap Network announces the hack and encourages customers to withdraw their funds in a post on X.
- November 22, 2023, 11:57 PM UTC: Communication between KyperSwap and the attacker begin on Blockchain regarding future negotiations.
- November 26, 2023, 03:38 PM UTC: KyberSwap announces on X they have been in contact with the owners of the front-run bots that extracted the funds on Polygon and Avalanche during the attack and have negotiated a return of 90% of the exploited $5.7 million connected to the two companies in return of a 10% bounty. KyberSwap provides an address for the return of the stolen funds.
- “November 30, 2023:” The attacker demands full control over Kyber Network’s entire asset portfolio with a December 10, 2023, deadline.
- December 27, 2023, 04:06 PM UTC: KyperSwap announces reimbursement plan and the termination of half of their workforce.
Losses #
Before the partial recovery, KyberSwap losses are approximately $49,000,000.
Security Failure Causes #
- Reentrancy Vulnerability: This is a common smart contract issue where a function can be repeatedly called before the first execution is completed, leading to unexpected behaviors or manipulation.
- Inadequate Auditing: The lack of thorough and continuous auditing of smart contracts, especially during updates or new implementations, can leave undetected vulnerabilities.
- Insufficient Real-Time Monitoring: Not having systems in place to monitor and quickly respond to suspicious activities can exacerbate the impact of an attack.