How Hackers Cracked KyberSwap to Steal Over $46 Million

Vignesh Karunanidhi
How Hackers Cracked KyberSwap to Steal Over $46 Million

An analysis of the recent $46 million exploit draining decentralized exchange KyberSwap has revealed a remarkably sophisticated manipulation of the platform’s concentrated liquidity arrangements.

According to Ambient Finance founder Doug Colkitt, who conducted the investigation, the attack relied on intricate calculations to create an “infinite money glitch.”

By subtly tricking KyberSwap’s smart contracts powering liquidity pools, the exploiter bypassed checks that would have updated pool liquidity values when crossing price boundaries. This enabled double-counting existing liquidity while fooling the contracts into overpaying on trades – yielding the extractor over $46 million across multiple pools.

Also read: City of Lugano Adds Polygon to its Crypto Payment App

Colkitt notes that the attack centered on the mannerism of KyberSwap’s particular concentrated liquidity implementation. As such, other prominent platforms like Uniswap and Ambient Finance remain secure against this specific vulnerability. Nonetheless, the exploit displays staggering precision and creativity.

KyberSwap hack followed a multi-step approach using flash loans

In Colkitt’s analysis, transactions followed a multi-step approach using flash loans to manipulate pricing and liquidity. After draining the ETH/wstETH pool, the attacker minted a small amount of liquidity within a specific price range where no other liquidity existed. This created a “clean canvas” for fine-tuned manipulation.

Two swaps then occurred around this tightly controlled price, with no other liquidity present. The first swap moved the price just past the boundary of the attacker’s liquidity range.

Also read: JPMorgan Says Binance’s $4.3B Settlement Lifts Cloud Over Crypto

On the second swap, the price was moved back within range, triggering the liquidity value to correctly update. But since the first swap failed to remove liquidity when crossing the threshold, the second swap essentially double-counted liquidity. This let the attacker withdraw more funds than they had deposited, draining the pool.

According to Colkitt, the quantity calculations used to predict whether price boundaries would be crossed differed slightly from the pricing formulas.

Also read: No Reason to Stop a Spot Bitcoin ETF, SEC Commissioner Says

By engineering swap amounts with uncanny accuracy, the attacker was able to bypass the boundary checks. In some cases, differences came down to a 0.000000001% margin of error, exemplifying the attack’s intricacy.

Colkitt notes that an additional check on whether swap steps remain within expected boundaries could have prevented the attack. Fortunately, implementing this fix to patch exploited smart contracts proves straightforward.