KyberSwap claims hackers stole $55 million in crypto


Decentralized exchange KyberSwap has become the latest crypto company to lose millions to digital thieves, after reporting a highly sophisticated cyber attack.

In a post published on Friday, the company revealed that the attack took place on November 22, resulting in a loss of nearly $55 million in user funds.

“On November 22 at 10:54 p.m. UTC, attackers exploited KyberSwap Elastic smart contracts using a series of complex actions to perform exploitative swaps, enabling the withdrawal of user funds into the attackers’ wallets. Around $54.7 million of user funds were exploited by the attackers,” it said.

“In response, we suspended deposits, launched an investigation, contacted affected parties and entered into negotiations with the attackers with the aim of helping users recover as much as possible, including offering a 10% bonus to incentivize them to return funds used by users. »

Read more about cryptocurrency heists: UK crypto firm loses $200 million in cyber attack

Decentralized finance (DeFi) expert Doug Colkitt has a helpful thread on X (formerly Twitter) explaining exactly how the attack happened. He said this was specific to KyberSwap’s concentrated liquidity implementation, meaning the threat actors possessed a high degree of specialized skills and knowledge.

They effectively executed a precise sequence of chained steps to exploit a vulnerability in the platform.

“This is by far the most complex and carefully designed smart contract exploit I have ever seen.” he added.

KyberSwap said it contacted the owners of the frontrun bots that extracted approximately $5.7 million in funds from KyberSwap pools on Polygon and Avalanche during the exploit. He negotiated the return of 90% of these funds. However, the fate of the remaining $50 million is unclear.

The company also worked to strengthen its defenses to build resilience after the attack.

“The security measures we have taken include internal checks of smart contracts and audits carried out by 100proof (whitehacker), ChainSecurity and community developers through the Sherlock audit competition. We have encouraged additional controls on smart contracts through our bug bounty program with Immunefi,” that explained.

Leave a comment