Decentralized exchange KyberSwap has become the latest crypto firm to lose millions to digital thieves, after reporting a highly sophisticated cyber-attack.
In a post on Friday, the firm revealed that the attack took place on November 22, resulting in a loss of nearly $55m in users’ funds.
“On Nov 22 10:54 PM UTC, attackers exploited KyberSwap Elastic smart contracts using a series of complex actions to conduct exploitative swaps, enabling the withdrawal of users’ funds into the attackers’ wallets. Around $54.7m of users’ funds were exploited by the attackers,” it said.
“In response, we paused deposits, launched an investigation, contacted relevant parties & initiated negotiations with the attackers in an effort to help users recover as much as possible, including offering a 10% bounty as an incentive for returning the users’ exploited funds.”
Read more on crypto-heists: UK Crypto Firm Loses $200m in Cyber-Attack
Decentralized finance (DeFi) expert, Doug Colkitt, has a useful thread on X (formerly Twitter) explaining exactly how the attack happened. He said it was specific to KyberSwap’s implementation of concentrated liquidity, meaning the threat actors had a high degree of skill and specialized knowledge.
They effectively executed a precise sequence of on-chain steps to exploit a vulnerability in the platform.
“This is easily the most complex and carefully engineered smart contract exploit I’ve ever seen,” he added.
KyberSwap said it had contacted the owners of the frontrun bots that extracted about $5.7m worth of funds from KyberSwap pools on Polygon and Avalanche during the exploit. It has negotiated to have 90% of those funds returned. However, the fate of the remaining $50m is unclear.
The firm has also been busy shoring up its defenses to build resilience following the attack.
“Security measures we’ve taken include internal smart contract checks, and audits by 100proof (whitehacker), ChainSecurity, and community developers via Sherlock’s audit competition. We encouraged further checks on the smart contracts through our bug bounty program with Immunefi,” it explained.