According to on-chain data, the decentralized exchange system KyberSwap looks to have been the victim of a $47 million hack. The funds came through the company’s Elastic Pools liquidity solution.
Funds were abruptly transferred from protocol-associated wallets into a single wallet, as initially reported by X user Spreek.
KyberSwap DEX suffers millions in losses
In the latest decentralized financial hack, around $47 million in various crypto coins appear to have been taken from the decentralized KyberSwap exchange.
The Kyber Network team informed its users on November 23 via an X (Twitter) post that KyberSwap Elastic “has experienced a security incident.”
According to on-chain data, the attacker is mostly stealing funds in Ether, wrapped ether (wETH), and USDC. The attacker also targeted multiple cross-chain KyberSwap deployments, stealing approximately $20 million from Arbitrum, $15 million from Optimism, and $7 million from Ethereum.
As a precaution, the exchange advised users to withdraw their funds while it investigated the situation. On-chain sleuths have ruled out a fault in the DEX’s approval authorization code, implying that the theft is a targeted attack against the liquidity provider pools itself.
Blockchain sleuths identified the affected and exploiter wallet addresses, which were still operational as of late. According to DeFiLlama, the DEX currently has $22.23 million in total value locked (TVL), down from about $80 million prior to the hack.
The hacker’s demands
The following appeared in a transaction that the perpetrator purportedly sent: “Dear Kyberswap Developers, Employees, DAO members, and LPs, Negotiations will start in a few hours when I am fully rested. Thank you.” In addition, the perpetrator sought out, “How is Ontario this time of year?”
KyberSwap Elastic allows liquidity providers to select their preferred price ranges while automatically compounding their yields.
According to DefiLlama data, KyberSwap’s total value locked (TVL) dropped by 68% in a matter of hours, and about $78 million left the protocol as a result of the attack and user withdrawals. Its TVL is currently $27 million, down from a peak of $134 million in 2023.
According to 0xngmi, a pseudonymous employee at crypto data site DefiLlama, on X said: “I looked into the [transaction] and dont think it’s an approval issue with kyber aggregator, seems like hacker is just draining the kyber [liquidity provider] pools.”
0xngmi adds that the protocol locks in a total of $72 million worth of value. At this time, there appears to be little to no effect on this.
It is becoming progressively more prevalent for hackers to tease their targets by having them sign transactions with lengthy text sequences as part of decentralized finance exploits.
Adam Cochran, general partner at Cinneamhain Ventures, said on X, “Looks like the Kyber exploits is flash loans and some sort of math/rounding issue. Each [transaction] is starting with an ETH balance coming in, looped mint/redeem/swap.”
The perpetrator of the $200 million breach that targeted Euler Finance returned additional funds to the protocols in early March of this year. In a succession of messages published on the blockchain, the attacker appeared to offer an apology.
In a separate blockchain message, the perpetrator, who is currently identified as Jacob, stated that they had every intention of returning the entire amount of funds to Euler.