As outlined in a social media thread by Doug Colkitt, founder of Ambient Exchange, the perpetrator behind the recent $46 million KyberSwap cyber-attack utilized a “sophisticated and meticulously crafted smart contract exploit” which he referred to as an “infinite money glitch.”
An “infinite money glitch” refers to a vulnerability in a smart contract or protocol that allows attackers to manipulate the system, generating unexpectedly large funds. This often involves flaws in code, enabling unauthorized gains by exploiting decentralized platform financial mechanisms.
According to Colkitt, the assailant exploited a distinct implementation of KyberSwap’s concentrated liquidity feature to “deceive” the contract, leading it to believe it possessed more liquidity than it actually did.
Many decentralized exchanges (DEXs) offer a “concentrated liquidity” feature that allows liquidity providers to establish minimum and maximum prices for buying or selling cryptocurrencies. This was what the attacker exploited. However, the exploit “is specific to Kyber’s implementation of concentrated liquidity and probably will not work on other DEXs,” Colkitt suggests.
The KyberSwap breach involved a series of exploits targeting specific pools, and according to Colkitt, each attack closely resembled the others. To demonstrate the methodology, Colkitt examined the attack on the ETH/wstETH pool on the Ethereum network, which comprised both Ether and Lido Wrapped Staked Ether.
The assailant initiated the process by obtaining a loan of 10,000 wstETH (equivalent to $23 million at the time) from the flash loan platform Aave. Subsequently, the attacker unloaded tokens worth $6.7 million into the pool, resulting in a drastic drop in its price to 0.0000152 ETH per 1 wstETH. At this juncture, there were no liquidity providers willing to engage in buying or selling, theoretically resulting in zero liquidity.
Following this, the assailant deposited 3.4 wstETH and presented offers to buy or sell within the price range of 0.0000146 and 0.0000153. Immediately after the deposit, the attacker withdrew 0.56 wstETH. Colkitt speculated that this withdrawal of 0.56 wstETH might have been executed to “align the subsequent numerical calculations perfectly.”
After executing the deposit and withdrawal sequence, the attacker proceeded with a second and third swap. The second swap elevated the price to 0.0157 ETH, a level that theoretically should have disabled the attacker’s liquidity. The third swap then raised the price back to 0.00001637, surpassing the maximum price set by the attacker’s liquidity threshold.
In theory, the last two swaps should have had no impact, as the attacker was essentially trading with their own liquidity. Since other users had minimum prices well below these values, Colkitt noted:
“In the absence of a numerical bug, someone doing this would just be trading back and forth with their own liquidity,” further explaining that “all the flows would net out to zero (minus fees).”
However, owing to a quirk in the arithmetic employed to compute the upper and lower bounds of price ranges, the protocol failed to eliminate liquidity in one of the initial two swaps but paradoxically reintroduced it during the concluding swap. Consequently, the pool ended up “double counting the liquidity from the original LP position,” allowing the attacker to acquire 3,911 wstETH in exchange for a minimal amount of ETH. Despite having to unload 1,052 wstETH in the first swap to execute the attack, this maneuver still enabled the attacker to realize a profit of 2,859 wstETH (equivalent to $6.7 million at the current price) after repaying their flash loan.
The attacker seemingly replicated this exploit across various KyberSwap pools on multiple networks, ultimately absconding with a total of $46 million in cryptocurrency spoils.
As per Colkitt, KyberSwap included a fail-safe mechanism within the computeSwapStep function designed to prevent such an exploit. Nevertheless, the attacker adeptly maintained the numerical values in the swap just beyond the range that would activate the fail-safe. Colkitt explained: “The ‘reach quantity’ which is the upper bound for reaching the tick boundary was calculated as …22080000, whereas the exploiter set a swap quantity of …220799999. That shows just how carefully engineered this exploit was.’’
Colkitt called the attack “easily the most complex and carefully engineered smart contract exploit I’ve ever seen.”
On April 17, the KyberSwap team identified a vulnerability in its system, but no funds were compromised in that instance. The exchange’s user interface also experienced a hack in September 2022, and while all users were reimbursed in that incident, the latest attacker has reached out to the team expressing a willingness to negotiate the return of some of the funds