According to a social media thread by Ambient exchange founder Doug Colkitt, the KyberSwap $46-million attacker employed a “complex and carefully engineered smart contract exploit,” which Colkitt called an “infinite money glitch.” The founder stated that the hacker utilises a unique implementation of KyberSwap’s concentrated liquidity feature to “trick” the contract into believing it had more liquidity than it did.
Most decentralised exchanges (DEXs) provide a “concentrated liquidity” feature, allowing liquidity providers to set minimum and maximum prices at which they would like to sell or buy crypto. KyberSwap’s feature is more unique, and the attacker took advantage of the trait. According to Colkitt, the hacker’s approach “probably will not work on other DEXs.”
The KyberSwap breach involved a series of exploits targeting individual pools, each attack closely resembling the others, as explained by Colkitt. To illustrate how it worked, Colkitt took the exploit of the ETH/wstETH pool on Ethereum as an example. This pool consisted of Ether and Lido Wrapped Staked Ether (wstETH).
The breach started by borrowing 10,000 wstETH ($23 million worth at the time) from flash loan platform Aave (shown in blockchain data). The attacker then dumped $6.7 million worth of these tokens into the pools, collapsing its price to 0.0000152 ETH per wstETH. At this point, no liquidity was available for buying or selling, which should have been zero.
The attacker then deposited 3.4 wstETH and offered to buy or sell at prices between 0.0000146 and 0.0000153, withdrawing 0.56 wstETH immediately after the deposit. This act was to “make the subsequent numerical calculations line up perfectly,” as Colkitt speculated.
The perpetrator then executed a second swap, escalating the price to 0.0157 ETH – which should have nullified the attacker’s liquidity – and the third swap to elevate the price back to 0.00001637, exceeding the attacker’s self-imposed liquidity threshold, as it now surpassed their maximum price.
The last two swaps should have had no impact, as the attacker was trading with their liquidity, given that other users had set minimum prices well below these values. Colkitt explained that without a numerical error, such transactions would merely result in back-and-forth trading within their liquidity, with all flows offsetting to zero minus fees.
However, due to an idiosyncrasy in the arithmetic used to calculate the upper and lower bounds of price ranges, the protocol failed to remove liquidity in one of the initial two swaps but reintroduced it during the final swap. Consequently, the pool ended up “double counting the liquidity from the original LP position,” enabling the attacker to acquire 3,911 wstETH for a minimal amount of ETH. Despite having to sell 1,052 wstETH in the first swap to execute the attack, the attacker still profited by 2,859 wstETH (equivalent to $6.7 million at the current price) after repaying their flash loan.
The attacker seemingly replicated this exploit across other KyberSwap pools on various networks, ultimately making off with a total of $46 million in cryptocurrency.
Colkitt stated that KyberSwap had a failsafe mechanism embedded in the computeSwapStep function designed to prevent this exploitation. However, the attacker adjusted the numerical values in the swap just beyond the range that would trigger a failsafe.
“The ‘reach quantity’ was the upper bound for reaching the tick boundary was calculated as …22080000, whereas the exploiter set a swap quantity of …220799999. That shows just how carefully engineered this exploit was. The check failed by Colkitt called the attack “easily the most complex and carefully engineered smart contract exploit I’ve ever seen.”
This is not the first attack targeting KyberSwap. The exchange discovered a vulnerability on April 17, but no funds were stolen. Its user interface was also hacked in September 2022, although all users were compensated. In this November 22 incident, the attacker told the team they were willing to negotiate to return some of the funds.