kyberswap - Pwim.Net

Hacker Steals $265,000 in User Funds from KyberSwap

KyberSwap announced that $265,000 in user funds were stolen after a hacker exploited the multichain DEX aggregator’s front end.

The company confirmed the hacking incident, followed by announcing that compensation would be made to the victims of the attack. A 15% bounty will be released for the hacker if all the funds are returned and if the hacker speaks directly with the KyberSwap team.

According to the details released from KyberSwap, the hacker exploited the code initially at approximately 2:30 am EST. “We identified a malicious code in our Google Tag Manager (GTM) which inserted a false approval, allowing a hacker to transfer a user’s funds to his address,” the company said in its official notice.

The notice further explained that the hacker had discreetly injected the script to target whale wallets with large amounts specifically.

Following investigations, the company was able to neutralize the exploit within two hours.

The company has also urged users to proceed with using its platform with caution for the time being.

However, the attack on KyberSwap was comparatively smaller than other recent attacks on DeFi projects, which have seen numerous multimillion-dollar thefts of users’ funds.

However, it does highlight the wide range of ways DeFi users are vulnerable to attacks.

Two Suspects Uncovered by Binance in Connection to KyberSwap Frontend Attack

Binance might have successfully uncovered the brains behind the KyberSwap frontend hack, which was perpetrated last Thursday.

Largest cryptocurrency exchange by market trading volume, Binance has independently identified two individuals suspected to be the bad actors behind the KyberSwap scam, which led to the loss of over $265,000 in cryptocurrencies belonging to users. CEO Changpeng ‘CZ‘ Zhao took to his Twitter page to announce the hack.

On Thursday, 1st September, the decentralized finance (DeFi) exchange platform KyberSwap noticed suspicious activities on its front end and had to shut it down to conduct investigations. Upon completing the investigations, Kyber Network discovered malware had been introduced into its servers. Specifically, a malicious code was sent into its Google Tag Manager (GTM).

The code initiated false approvals, which in turn led to the loss of $265,000 in users’ funds. Notably, the target of the malicious code was whale accounts with huge amounts of funds in them.

KyberSwap, which was initially disabled, came back online after less than two hours following a series of checks which ascertained that the bad script had been pulled out. The DeFi exchange scrutinized its front end to decipher the extent of the damage done, the affected wallet addresses, and the attacker’s address.

Big Brother Binance Steps in For Troubled Crypto Firms

As compensation, KyberSwap promised the scammers about 15% or approximately $40,000 of the hijacked funds if it is returned. Helping in the investigation, the Binance security team sent its intel to the Kyber Network team and has now started coordinating with law enforcement agencies.

This will not be the first time the largest exchange is stepping in to help other troubled crypto firms salvage their platforms. Markedly, Binance helped to recover about $5.8 million from the $625 million stolen from the Axie Infinity’s Ronin Bridge when it was attacked a few months ago.

All things considered, Binance is recognized for showing proactiveness and offering selfless effort to help investors.

A community member attested to this when he said, “Binance is now playing the role of a big brother in the crypto space. Binance has gone beyond securing its platform to securing the entire crypto ecosystem.”

KyberSwap announces first ever $ARB token liquidity pools, liquidity mining and trading campaigns on Arbitrum

Ho Chi Minh City, Vietnam, 22nd March, 2023, Chainwire

Since launching in 2021, Arbitrum has emerged as one of the most promising Layer 2 solutions, with its ability to scale Ethereum and enable faster and cheaper transactions.

On March 16, Ethereum Layer 2 scaling solution Arbitrum announced plans to distribute a new governance token, $ARB, to its eligible Arbitrum ecosystem users as part of its transition, noting that the project is “leading the way as the first L2 to launch self-executing governance.”

This airdrop, estimated to go live on 23 March, is set to be one of the biggest airdrop in crypto history.

KyberSwap was among the protocols whose users bridged to Arbitrum and conducted swaps on the platform, thereby becoming eligible for the $ARB Airdrop.

KyberSwap, a leading decentralized exchange (DEX) aggregator and liquidity platform, will launch the first-ever $ARB token liquidity pools, liquidity mining, and trading campaigns on the Arbitrum Chain. These moves mark significant steps forward for KyberSwap, as it will assist to catalyse significant liquidity inflows, thus increasing TVL and provide more earning opportunities in the rapidly growing Arbitrum ecosystem.

With the launch of the $ARB liquidity pools, KyberSwap users will now have access to more trading pairs and liquidity options. Liquidity providers will also have more opportunities to earn fees and rewards by adding liquidity to the $ARB pools and participating in liquidity mining programs by KyberSwap.

The following ARB pools will be eligible for liquidity mining rewards:

Token Pairs

ARB-ETH (2%)
Apr ARB-ETH (5%)
ARB-USDT (2%)
ARB-USDT (2%)
ARB-KNC (5%)

An estimated total of 70,000 KNC has been allocated as reward incentives.

*Incentives may continue after the designation duration is over; to be confirmed at a later date.

Greater Flexibility with new Fee Tiers

With these highly anticipated yield farms, KyberSwap is introducing new 2% and 5% fee tiers, which exceeds their current highest offering of 1%. These new fee tiers provide opportunities for $ARB farmers to benefit from the anticipated high volatility and trading volume, during the price discovery phase after the airdrop. These pools offer superior returns in addition to the farming rewards, and as a liquidity protocol that has been seamlessly integrated by multiple DEXs and aggregators, KyberSwap is well poised to serve the trading needs of the entire chain not found with other competitors.

“We are excited to launch the first ever $ARB liquidity mining pools,” said Victor Tran, CEO and Co-founder of KyberSwap. “These farms will mark the beginning of an extensive Arbitrum-centered campaign KyberSwap has planned, and we will announce more rewards and activities soon for both LPs and traders. Additionally, traders can set their prices to purchase or sell $ARB with our limit order function and swap at the optimised rates with our aggregator.”

Other Arbitrum Yield Farms on KyberSwap

Apart from the upcoming ARB farms, there are other ongoing Arbitrum-based yield farms on kyberswap.com:

Depending on the success of $ARB trading volume, the KyberSwap team is planning additional rewards post-launch for traders and liquidity providers which may include $ARB and $KNC airdrops, and commemorative NFT rewards.

According to Nansen, Arbitrum was one of the fastest-growing blockchain in 2022 with more than $1.1 billion locked in its ecosystem and a rapid increase in transactional volume, this layer-two scaling solution gained massive traction during the year.

*Arbitrum Active Addresses/Transactions

The $ARB token liquidity pools, liquidity mining, and trading campaigns are set to go live on KyberSwap soon, with further details and instructions to be provided on KyberSwap’s Twitter and on kyberswap.com.

About KyberSwap

Kyber Network is building a world to make DeFi accessible, safe and rewarding for users. Their flagship product, KyberSwap, is a next-gen DEX aggregator providing optimised rates for traders and returns for liquidity providers in DeFi.

For liquidity providers, KyberSwap has a suite of capital-efficient protocols designed to optimize rewards. KyberSwap Classic’s protocol is DeFi’s first market maker protocol that dynamically adjusts LP fees based on market conditions, while KyberSwap Elastic is a tick-based AMM with concentrated liquidity, customizable fee tiers, reinvestment curve and other advanced features specially designed to give LPs the flexibility and tools to take your earning strategy to the next level without compromising on security.

KyberSwap powers 100+ integrated projects and has facilitated over US$15 billion worth of transactions for thousands of users since its inception.

Currently deployed on 13 chains, including Ethereum, Polygon, BNB, Avalanche, Fantom, Cronos, Arbitrum, BitTorrent, Velas, Aurora, Oasis, Optimism and Solana, KyberSwap aggregates liquidity from over 80 DEXs to give users the best rates possible for their swaps.

Contact

Marketing SpecialistTania HayKyberSwaptania@kyber.network

Exploit of KyberSwap's Concentrated Liquidity Feature Results in $46 Million Loss

On November 23, 2023, the decentralized finance (DeFi) space was shaken by a meticulously planned exploit of KyberSwap, a leading decentralized exchange (DEX). The exploit, which Doug Colkitt, creator of Ambient exchange, characterized as “the most complex and carefully engineered” he had ever seen, resulted in a loss of approximately $46 million.

To grasp the exploit’s intricacy, one must first understand ‘concentrated liquidity.’ This feature, common across DEXs like KyberSwap, Uniswap, and Ambient, allows liquidity providers to allocate their assets within specific price ranges, enhancing capital efficiency. However, this mechanism also introduces unique vulnerabilities, as exploited in this incident.

The attacker’s strategy revolved around the Ethereum ETH/wstETH pool on KyberSwap. Starting with a flash loan of 10,000 wstETH (worth about $23 million), the attacker manipulated the pool’s price dynamics. By injecting 2,800 wstETH ($6 million) into the pool, they significantly skewed the ETH to wstETH price ratio. This action moved the pool’s price to a range with virtually no existing liquidity, setting the stage for the exploit.

With the pool’s price artificially altered, the attacker then minted a small amount of liquidity in a narrowly defined price range. Following this, they executed two crucial swaps. The first swap involved selling a large quantity of wstETH for a minimal amount of ETH, drastically pushing the price down. The second swap reversed this, buying back a more significant amount of wstETH for a fractionally higher amount of ETH. This series of transactions should have, under normal circumstances, resulted in negligible net gains due to the self-contained nature of the trades.

However, due to a mathematical flaw in KyberSwap’s contract, these trades did not net out as expected. The contract failed to accurately account for the liquidity changes during these swaps, leading to a misrepresentation of the available liquidity. This flaw enabled the attacker to extract far more wstETH than they initially deposited, effectively creating an “infinite money glitch.”

The critical point of failure was the contract’s handling of the updateLiquidityAndCrossTick function. During the first swap, this function, which adjusts the curve’s liquidity value based on the LP range positions at a given price tick, was not invoked correctly. As a result, the pool’s liquidity was not accurately updated, allowing the attacker to exploit this oversight to their advantage. The precise manipulation of swap quantities and prices indicates a deep understanding of the underlying contract mechanics by the attacker.

This incident has profound implications for the DeFi ecosystem, particularly concerning the security of smart contracts. While Colkitt noted that this exploit is specific to Kyber’s implementation and does not necessarily pose a threat to other DEXs with concentrated liquidity, it underscores the need for more rigorous security measures and vulnerability assessments in DeFi protocols. The precision and sophistication of the attack also highlight the evolving nature of threats in the DeFi space.

The KyberSwap exploit serves as a stark reminder of the complexities and vulnerabilities inherent in DeFi. It underscores the importance of continuous security audits and the need for the DeFi community to remain vigilant against such sophisticated attacks. As DeFi continues to grow and evolve, so too must the security measures that protect its infrastructure and users.

KyberSwap's Response to $48.8 Million Hack: Workforce Halved and Victim Reimbursement Plans

The decentralized finance sector faced a significant setback when KyberSwap, a DeFi protocol, suffered a devastating hack in November 2023. The aftermath of this security breach has led to far-reaching consequences, including a drastic reduction in the platform’s workforce and efforts to support affected users.

On November 22, 2023, KyberSwap experienced a severe security exploit, resulting in a loss of approximately $48.8 million from its Elastic liquidity pools. This incident, labeled as the KyberSwap Elastic exploit, occurred at 10:54:09 PM UTC, marking a significant moment in the DeFi landscape. The hacker exploited a vulnerability in KyberSwap’s Elastic protocol, leading to unauthorized and exploitative swaps.

In response to this financial hit, Kyber Network’s CEO, Victor Tran, announced a regrettable but necessary decision to reduce their workforce by 50%. This move aims to keep the firm’s business operations sustainable in the wake of the financial losses incurred. Despite the challenging decision, Kyber Network emphasizes that its core business functions, including KyberSwap’s Aggregator and Limit Order features, remain intact. However, some initiatives, like the liquidity protocol and KyberAI project, have been temporarily paused.

Kyber Network has initiated a Treasury Grants Program to support users impacted by the hack. This program, which commenced on December 20, 2023, plans to distribute reimbursements in U.S. dollar stablecoins by February 1, 2024. Affected users are required to register for this reimbursement between January 11 and January 23, 2024. While the total reference value of losses nears $49 million, users will receive only 60% of this value, reflecting the financial constraints the platform faces. An additional $6.6 million was stolen from front-run bots in the aftermath of the primary exploit.

In a turn of events, the Kyber team attempted to negotiate a bounty deal with the hacker. However, the hacker’s demands were extreme, seeking complete control over Kyber Network, including all assets and its governance mechanism, KyberDAO. The hacker’s intention to buy the company at a fair valuation was not entertained by the Kyber team.

The exploit was characterized by DeFi expert Doug Colkitt as an “infinite money glitch,” a complex and carefully engineered smart contract exploit across several networks implementing KyberSwap pools. The affected networks included Avalanche, Polygon, Ethereum, and layer-2 networks such as Arbitrum, Optimism, and Base.

In summary, KyberSwap’s proactive steps to address the aftermath of the hack, including workforce reduction and plans to reimburse impacted users, demonstrate the challenges and resilience inherent in the DeFi sector. The incident underscores the importance of robust security measures and the need for continuous vigilance in the evolving landscape of decentralized finance.