BREAKING: KyberSwap Hacker Makes Demands

The KyberSwap hacker responsible for the recent $47 million exploit has finally broken his or her silence.

Instead of laying out reasonable terms or perhaps being gracious enough to accept a bug bounty, the KyberSwap hacker has instead chosen to make grandiose demands of the company.

In an on-chain message sent on Thursday, the hacker demanded full control of the Kyber company and the Kyber DAO. The hacker also informed the company that if any law enforcement personnel are contacted the offer will be terminated.

Additionally, the hacker has set a deadline of December 10, 2023, for these demands to be met or else the $47 million will never be returned and the ‘offer’ will no longer be valid.

This exploit represents yet another high-profile hack in the DeFi ecosystem, alongside the Poloniex hack that ProCoin News recently covered. Below is the on-chain message sent by the Kyber hacker:

🚨 Kyberswap hack update 🚨

The hacker has sent an on-chain message demanding complete executive control over the Kyber company, KyberDAO, and assets, in exchange for his cooperation.

Do you think this is serious or trolling? pic.twitter.com/7cVaDV5VYz

— Omniscia (@Omniscia_sec) November 30, 2023

Coin Telegraph explained:

As for liquidity providers, the hacker promised they would be gifted rebates for their recent market-making activity. The rebate will be 50% of the losses that they have incurred. “I know this is probably less than what you wanted. However, it is also more than you deserve,” the hacker wrote.

Founder of Ambient Finance Doug Colkitt analyzed the KyberSwap code and laid out how he believes the hacker was able to exploit the platform and steal the $47 million in funds.

22/ Kyber runs this swap step, and it checks to see if the ending price of the step is the same as the next tick price. If it is isn't it assumes the swap exhausted, it didn't reach the tick boundary and `updateLiq` doesn't need to be called. pic.twitter.com/wZignRaY0W

— Doug Colkitt (@0xdoug) November 23, 2023

24/ Normally this shouldn't happen because `computeSwapStep` function first calculates an upper limit of the amount that can be swapped before reaching the tick

If that amount is less than remainder of the swap, it confidently predicts the ending price will *not* reach the tick pic.twitter.com/Wx0tRMhBE7

— Doug Colkitt (@0xdoug) November 23, 2023

26/ And that's because the "reach quantity" was the upper bound for reaching the tick boundary was calculated as …22080000, whereas the exploiter set a swap quantity of …220799999

That shows just how carefully engineered this exploit was. The check failed by <0.00000000001% pic.twitter.com/1MYodAaVtd

— Doug Colkitt (@0xdoug) November 23, 2023

28/ In a very carefully controlled and precisely engineered case, the bounds check will tell you that anything less than X swap qty will keep you inside the tick price.

But the parallel calculation price change calculation will apply X swap qty and wind up outside the tick bound

— Doug Colkitt (@0xdoug) November 23, 2023

30/ The good news at least, it would be pretty straightforward to patch the existing Kyber contracts with a similar assertion on the swap step to prevent this exploit in the future.

— Doug Colkitt (@0xdoug) November 23, 2023

This isn’t the first time KyberSwap has been hacked, according to Decrypt:

“At 3.24 pm GMT+7, we identified a suspicious element on our frontend,” Kyber Network tweeted. “Shutting down our frontend to conduct investigations, we identified a malicious code in our Google Tag Manager (GTM) and immediately disabled it.”

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.