Original - Odaily

Author - Loopy Lu

On November 23, the multi-chain DEX aggregator Kyberswap recently suffered a serious cyber attack, resulting in the theft of various crypto assets worth approximately US$48.3 million, mainly including 16,217 ETH (valued at US$33.5 million), 3,987 , 332 ARB (worth $4.06 million), 591,441 OP (worth $1.03 million) and 1,111,926 DAI.

Latest developments (updated November 24):

The KyberSwap team released negotiation information to the hacker on the chain, stating that the hacker could leave 10% of the stolen funds as a bounty to safely return all users’ funds. KyberSwap claims to know how the hacker carried out the attack, and has given the hacker until 14:00 on November 25, Beijing time, to return 90% of the stolen funds to the address starting with 0x 8180, otherwise it will continue to pursue the hackers information.

Tens of millions of dollars stolen

After the incident, the Kyber Network team reminded its users in a X (Twitter) post that KyberSwap Elastic experienced a security incident. It advised users to withdraw funds as a precautionary measure, adding that it was investigating the situation.

Kyber was launched in 2018 and had a TVL of approximately $86 million before the hack. Currently, the TVL has dropped to $13 million.

KyberSwap is a decentralized DEX and aggregator deployed on 15 blockchains. The official introduction shows that the platform has conducted more than 10 billion US dollars in total trading volume and more than 2 million total transactions, and has integrated more than 100 DEXs.

(KyberSwap is already available on 15 chains)

On-chain data shows that the KyberSwap theft also occurred on multiple networks. According to Spot On Chain monitoring, KyberSwap theft occurred including Arbitrum, Optimism, Ethereum, Polygon and Base.

Among them, approximately $20 million worth of tokens were stolen from the Arbitrum network, $15 million was stolen from the Optimism network, and more than $7 million was stolen from Ethereum.

It should be noted that this is not the first time KyberSwap has been stolen. In September 2022, a KyberSwap front-end vulnerability resulted in the theft of $265, 000 in user funds.

The KyberSwap theft incident has once again attracted widespread attention in the encryption industry to the security of DEX. Odaily reminds users that when security risks occur, users should promptly withdraw funds and revoke permissions.

Ill take a break first and contact you later.

What makes this incident different from previous attacks is that the hackers added rich annotations to the operations performed on the chain. This kind of behavior gives this attack a different meaning. It is difficult for us to judge whether this is ridicule or teaching.

The hacker operation is relatively complex. We have intercepted the main processes as follows:

1. Start taking action

2. Find the source of liquidity requests

3. Build false liquidity

4. Complete the attack

We saw that the hacker sent a DONEEEEEEEEEEE message at the end, and the long tail tone directly expressed the joy in the hackers heart.

What’s more interesting is that the hacker’s goal does not seem to be to deplete Kyber’s liquidity, but to negotiate to obtain the results of his attack.

The attacker left an on-chain message to protocol developers and DAO members, saying negotiations will begin in a few hours when I get some rest.

The community speculates that this means that the hackers do not seem to want to take all the stolen assets with legal risks. The hacker is likely to reach a consensus with the project team through negotiation and settlement, taking only part of the stolen funds in exchange for the project team no longer pursuing the case.

KyberSwap suffered a $265,000 hack in September 2022, which was later resolved with the assistance of Binance. At the time, KyberSwap offered the hacker 15% of the bounty, which was about $40,000.

Hackers may be repeat offenders

This attack is believed to be a direct attack on LP rather than a vulnerability in the DEX authorization code. The hackers successfully bypassed the exchanges multi-layered security protection through carefully designed attack strategies.

Security team BlockSec believes that KyberSwap achieved the attack through price manipulation and double liquidity counting. The attacker borrowed flash loans and drained the less liquid pools. By executing swaps and changing positions, they manipulated the victim pool’s real-time prices and price movements. Ultimately, the attacker triggered multiple swap steps and cross-quote operations, resulting in double liquidity counts that depleted the pool.

Another Easter egg is that this hacker does not seem to have committed a crime for the first time.

Paidun monitors that an address labeled as a Kyber Network attacker has transferred 1,000 WETH ($2.06 million) to an address on Arbitrum ending in adb4. This address interacted with Indexed Finance attackers on Ethereum 705 days ago.

In October 2021, passive yield protocol Indexed Finance was attacked, resulting in $16 million in losses.

The Kyberswap incident is a serious warning to the entire cryptocurrency trading field, reminding all participants that they must be more vigilant and strengthen security measures. As the crypto market continues to develop, ensuring the security of trading platforms will become an ongoing focus for the industry. The Kyberswap security incident has caused the entire industry to think deeply about the security of decentralized trading platforms.

Facing increasingly complex security challenges, DEX still needs to continue to innovate and improve its security technology. This includes strengthening the security audit of smart contracts, improving abnormal transaction detection capabilities, and developing a more efficient emergency response mechanism. At the same time, strengthening user education and raising awareness is also an important part of preventing security incidents. Users need to understand the relevant risks and take appropriate measures to protect the security of their assets.

After waiting for the hackers to wake up, will KyberSwap’s negotiations go smoothly? How will the hackers end up?OdailyWill continue to follow the report.