Flash Loans and Liquidity Bugs: Analysing the $47M KyberSwap Hack
KyberSwap, a key decentralised exchange (DEX), fell victim to a sophisticated cyber-attack. This breach resulted in the theft of approximately $47 million in various crypto assets and caused a significant 90% drop in the platform's Total Value Locked (TVL).
Behind the Breach
The attack exploited a vulnerability in KyberSwap’s concentrated liquidity feature. This flaw allowed attackers to manipulate the contract, causing it to miscalculate liquidity levels and enabling them to drain substantial funds from the exchange through a series of complex and strategically executed transactions.
The core of the attack targeted a potential vulnerability in the mint function of KyberSwap’s new v2 reinvestment token (KS2-RT), which might have created an opportunity for reentrancy attacks. The attackers began by borrowing wrapped Lido-staked Ether (wstETH) via a flash loan and manipulated the price in the ETH/wstETH pool on Ethereum. This manipulation was achieved by depositing and withdrawing tokens to exploit a numerical bug in the liquidity calculation.
Despite KyberSwap's implementation of a failsafe mechanism within their
computeSwapStep function, the attackers meticulously crafted their transactions to narrowly avoid triggering this failsafe. The culmination of these actions was that the system erroneously double-counted liquidity due to the exploitation of a numerical bug and the avoidance of crucial function triggers during the swaps.
After the Incident
Following the breach, Kyber Network issued an urgent advisory to its users, urging them to withdraw their funds as a precaution. The team is actively investigating the incident to understand its full scope and implement necessary security measures.
The KyberSwap hack highlights the intricate and evolving challenges facing the DeFi industry, especially concerning smart contract vulnerabilities and the security of liquidity features.
You build the future. We help you secure it.