KyberSwap Suffers $46 Million Loss: Inside the Intricate 'Infinite Money Glitch' Exploit
Summary:
Douglas Colkitt, founder of Ambient Exchange, has detailed how the recent $46 million hack from KyberSwap was performed using an 'infinite money glitch', an exploit of the decentralized exchange's unique implementation of its concentrated liquidity feature. After borrowing a large quantity of cryptocurrency, the hacker manipulated the price, carried out a series of calculated deposits, withdrawals and swaps, finally managing to trick the system into double counting the liquidity, resulting in substantial profits. The exploit, described as one of the most sophisticated of its kind, led to a total loss of $46 million from multiple KyberSwap pools. Despite safety mechanisms in place, the exact numerical values chosen by the attacker allowed them to bypass prevention measures.
An intricate smart contract exploit was cleverly leveraged by a cybercriminal to syphon off $46 million from KyberSwap, according to analysis by Ambient exchange's founder, Doug Colkitt, shared in a social media thread. Coined by Colkitt as an "infinite money glitch," this elaborate manoeuvre tricked the contract into registering more liquidity than was actually present by manipulating KyberSwap's unique concentrated liquidity feature.
Decentralized exchanges (DEXs) typically offer a "concentrated liquidity" feature, enabling liquidity providers to predetermine a price range for their cryptocurrency transactions. The attacker took advantage of this feature on KyberSwap to extract the funds, though Colkitt suspects this methodology would likely be ineffective on other DEXs due to its specificity to Kyber's implementation.
The alleged intruder launched a series of identical attacks on individual pools. Colkitt uses an analysis of the ETH/wstETH pool to explain the mechanics. Borrowing 10,000 wstETH (roughly $23 million at the time) from flash loan platform Aave, the attacker proceeded to flood the pool with tokens worth $6.7 million, resulting in a price plunge. Subsequent actions involving deposits and withdrawals from the attacker reportedly curated a series of numerical calculations that would benefit their endgame.
Following this preparation, multiple swaps were carried out. Two swaps seemingly useless and intended to trade within the attacker's own set limits set prices above and below the attacker's liquidity threshold. Ordinarily, this would be fruitless, as stated by Colkitt, who emphasized that without numerical bugs, such actions would cause only zero-sum transactions.
However, a peculiarity in the calculus used in defining the price range limits upended the typical order. Misinterpretations of the first two swaps and the last one resulted in the pool erroneously counting the original liquidity twice, enabling the hacker to gain sizeable returns for minimal ETH investment. Despite having to offload some of the stolen currency at first, the cybercriminal managed to secure a significant profit after repaying the flash loan.
The exploiter reportedly replicated this scheme across numerous KyberSwap pools, culminating in a total haul of $46 million worth of crypto. KyberSwap reportedly had safety mechanisms built into its computeSwapStep function designed to thwart such attacks, but astute manipulations on the perpetrator's end allowed them to bypass this prevention method by adjusting the numerical values during the swap.
Dubbed by Colkitt as the most sophisticated smart contract exploitation he's ever witnessed, the matter is yet another incident on KyberSwap's record, with a previous vulnerability discovered in April resulting in no losses, and a user interface hack in September, in which all affected users were reimbursed. However, there seems to be hope for some resolution, with the November perpetrator reportedly indicating openness to some restitution negotiations.
Published At
11/23/2023 5:58:07 PM
Disclaimer: Algoine does not endorse any content or product on this page. Readers should conduct their own research before taking any actions related to the asset, company, or any information in this article and assume full responsibility for their decisions. This article should not be considered as investment advice. Our news is prepared with AI support.
Do you suspect this content may be misleading, incomplete, or inappropriate in any way, requiring modification or removal?
We appreciate your report.