on 23 november 2023 decentralized finance The (DeFi) space was Hill By a carefully planned exploit of KyberSwap, a leading decentralized exchange (DEX). Doug Colquitt, creator of Ambient Exchange, described the exploit as “the most complex and meticulously engineered ever”, resulting in a loss of approximately $46 million.
To understand the complexity of exploitation, one must first understand ‘concentrated liquidity’. This feature is common in DEXs like Kyberswap, uniswap, and ambient, allowing liquidity providers to allocate their assets within specific price ranges, enhancing capital efficiency. However, this mechanism also presents unique vulnerabilities, as exploited in this incident.
The attacker’s strategy revolves around the Ethereum ETH/wstETH pool on Kyberswap. Starting with a quick loan of 10,000 wstETH (worth approximately $23 million), the attacker manipulated the price dynamics of the pool. By injecting 2,800 wstETH ($6 million) into the pool, they significantly reduced the ETH to wstETH price ratio. This action drove the price of the pool to a level where there was virtually no existing liquidity, setting the stage for exploitation.
By artificially changing the price of the pool, the attacker mined a small amount of liquidity in a narrowly defined price range. After this, he made two important swaps. The first swap involved selling a large amount of wstETH for a minimal amount of ETH, causing a huge price drop. The second swap reversed this, buying back a more significant amount of wstETH in exchange for a partially larger amount of ETH. This series of transactions, under normal circumstances, should result in negligible net profit due to the self-contained nature of the trades.
However, due to a mathematical flaw in KyberSwap’s contract, these trades did not yield the expected profits. The contracts failed to accurately account for liquidity changes during these swaps, leading to a misinterpretation of available liquidity. This flaw enabled the attacker to withdraw far more wstETH than was initially deposited, effectively creating an “infinite money mess.”
The critical point of failure was the contract’s handling of the updateLiquidityAndCrossTick function. During the first swap, this function, which adjusts the liquidity value of the curve based on the LP range position at a given price tick, was not implemented correctly. As a result, the pool’s liquidity was not updated accurately, allowing an attacker to exploit this oversight to their advantage. Precise manipulation of swap volumes and prices indicates a deep understanding of the underlying contract mechanics by the attacker.
This incident has a profound impact on the DeFi ecosystem, especially with regard to the security of smart contracts. While Colquitt noted that this exploit is specific to Kyber’s implementation and does not necessarily pose a threat to other DEXs with concentrated liquidity, it does underscore the need for more rigorous security measures and vulnerability assessments in DeFi protocols. The precision and sophistication of the attack also highlights the evolving nature of threats in the DeFi sector.
The KyberSwap exploit serves as a stark reminder of the complexities and vulnerabilities inherent in DeFi. This underlines the importance of constant security audits and the need for the DeFi community to remain vigilant against such sophisticated attacks. As DeFi continues to grow and develop, so too should the security measures put in place to protect its infrastructure and users.
Image Source: Shutterstock