Exploit of KyberSwap’s Concentrated Liquidity Feature Results in $46 Million Loss

On November 23, 2023, the decentralized finance (DeFi) house was shaken by a meticulously deliberate exploit of KyberSwap, a number one decentralized trade (DEX). The exploit, which Doug Colkitt, creator of Ambient trade, characterised as “probably the most advanced and punctiliously engineered” he had ever seen, resulted in a lack of roughly $46 million.

To understand the exploit’s intricacy, one should first perceive ‘concentrated liquidity.’ This characteristic, widespread throughout DEXs like KyberSwap, Uniswap, and Ambient, permits liquidity suppliers to allocate their property inside particular value ranges, enhancing capital effectivity. Nonetheless, this mechanism additionally introduces distinctive vulnerabilities, as exploited on this incident.

The attacker’s technique revolved across the Ethereum ETH/wstETH pool on KyberSwap. Beginning with a flash mortgage of 10,000 wstETH (price about $23 million), the attacker manipulated the pool’s value dynamics. By injecting 2,800 wstETH ($6 million) into the pool, they considerably skewed the ETH to wstETH value ratio. This motion moved the pool’s value to a variety with just about no current liquidity, setting the stage for the exploit.

With the pool’s value artificially altered, the attacker then minted a small quantity of liquidity in a narrowly outlined value vary. Following this, they executed two essential swaps. The primary swap concerned promoting a big amount of wstETH for a minimal quantity of ETH, drastically pushing the worth down. The second swap reversed this, shopping for again a extra vital quantity of wstETH for a fractionally larger quantity of ETH. This sequence of transactions ought to have, underneath regular circumstances, resulted in negligible internet features because of the self-contained nature of the trades.

Nonetheless, on account of a mathematical flaw in KyberSwap’s contract, these trades didn’t internet out as anticipated. The contract did not precisely account for the liquidity adjustments throughout these swaps, resulting in a misrepresentation of the accessible liquidity. This flaw enabled the attacker to extract way more wstETH than they initially deposited, successfully creating an “infinite cash glitch.”

The vital level of failure was the contract’s dealing with of the updateLiquidityAndCrossTick operate. Through the first swap, this operate, which adjusts the curve’s liquidity worth primarily based on the LP vary positions at a given value tick, was not invoked accurately. Because of this, the pool’s liquidity was not precisely up to date, permitting the attacker to take advantage of this oversight to their benefit. The exact manipulation of swap portions and costs signifies a deep understanding of the underlying contract mechanics by the attacker.

This incident has profound implications for the DeFi ecosystem, notably regarding the safety of good contracts. Whereas Colkitt famous that this exploit is particular to Kyber’s implementation and doesn’t essentially pose a menace to different DEXs with concentrated liquidity, it underscores the necessity for extra rigorous safety measures and vulnerability assessments in DeFi protocols. The precision and class of the assault additionally spotlight the evolving nature of threats within the DeFi house.

The KyberSwap exploit serves as a stark reminder of the complexities and vulnerabilities inherent in DeFi. It underscores the significance of steady safety audits and the necessity for the DeFi group to stay vigilant towards such refined assaults. As DeFi continues to develop and evolve, so too should the safety measures that defend its infrastructure and customers.

Picture supply: Shutterstock