Kyberswap was hacked for $48 million, but the drama-loving hackers took the initiative to negotiate.

Kyberswap suffers $48 million hack, but dramatic hackers surprisingly initiate negotiation

Hackers leave a message on the chain: “Let me rest for a while, let’s talk later.”

Original author: Loopy Lu

On November 23rd, the multi-chain DEX aggregator Kyberswap recently suffered a severe network attack, resulting in the theft of various encrypted assets worth approximately $48.3 million. This includes mainly 16,217 ETH (worth $33.5 million), 3,987,332 ARB (worth $4.06 million), 591,441 OP (worth $1.03 million), and 1,111,926 DAI.

• Virtual Currency Judicial Disposal Merchants How to Ensure Their Own Security?
• LianGuai Morning News | Zhao Changpeng resigns as CEO, Bloomberg predicts that Zhao Changpeng’s sentence will not exceed 18 months
• LianGuai Morning News | Page X shows that CZ’s account has returned to normal. SBF provides security with cryptocurrency investment advice.

Millions of dollars stolen

After the incident, the Kyber Network team reminded its users in a post on X (Twitter), stating that KyberSwap Elastic “had experienced a security incident.” It advised users to withdraw their funds as a precautionary measure and mentioned that they were investigating the situation.

Kyber was launched in 2018 and had a TVL (total value locked) of approximately $86 million prior to the hack. The TVL has now dropped to $13 million.

KyberSwap is a decentralized DEX and aggregator deployed on 15 blockchains. The official introduction shows that the platform has had over $10 billion in total trading volume and over 2 million total transactions, with integration with over 100 DEXs.

(KyberSwap is available on 15 chains)

However, on-chain data shows that this KyberSwap hack occurred across multiple networks. Spot On Chain monitoring revealed that the KyberSwap hack occurred on networks including Arbitrum, Optimism, Ethereum, Polygon, and Base.

Among them, tokens worth approximately $20 million were stolen from the Arbitrum network, $15 million from the Optimism network, and over $7 million from Ethereum.

It is important to note that this is not the first time KyberSwap has been hacked. In September 2022, a front-end vulnerability at KyberSwap led to the theft of $265,000 in user funds.

The KyberSwap hack has once again raised widespread concerns about the security of DEX in the cryptocurrency industry. Odaily Planet Daily reminds users that when security risks occur, they should promptly withdraw their funds and revoke permissions.

“I’ll take a break and contact you later.”

What sets this incident apart from previous attack events is that the hacker has added detailed annotations to the operations performed on the blockchain. This behavior gives this attack a different meaning, and it is difficult to determine whether it is mockery or a lesson.

The hacker’s actions are quite complex, and we have summarized the main process as follows:

1. Getting started

2. Finding the source of liquidity requests

3. Creating false liquidity

4. Completing the attack

We can see that at the end, the hacker sends a message saying “DONEEEEEEEEEEEEE,” prolonging the final sound to express their joy.

What’s even more interesting is that the hacker’s goal does not appear to be depleting Kyber’s liquidity, but rather intending to negotiate to gain benefits from this attack. The attacker left a message on the blockchain for the protocol developers and DAO members, stating, “Negotiations will begin in a few hours once I’ve rested.”

The community speculates that this means the hacker seemingly doesn’t want to bear the legal risk of taking away all the stolen assets. The hacker is likely to reach a consensus with the project team through negotiations and settlements, taking only a portion of the stolen funds in exchange for the project team dropping any further pursuit.

KyberSwap suffered a hacker attack in September 2022, which resulted in a loss of $265,000. It was later resolved with the assistance of Binance. At that time, KyberSwap offered a 15% bounty to the hacker, amounting to approximately $40,000.

The hacker may be a repeat offender.

This attack is considered a direct attack on LP (Liquidity Provider) rather than a vulnerability in the DEX authorization code. The hacker successfully bypassed multiple layers of security protection in the exchange through a carefully designed attack strategy.

The security team BlockSec believes that KyberSwap was exploited using price manipulation and double-counting liquidity. The attacker borrowed flash loans and depleted low-liquidity pools. By executing swaps and changing positions, they manipulated the real-time price and price fluctuations of the victim pool. Ultimately, the attacker triggered multiple exchange steps and cross-quote operations, leading to double-counting of liquidity and depleting the funds.

And another “Easter egg” is: it seems that the hacker is not committing the crime for the first time.

According to PwC’s monitoring, the address identified as the attacker of Kyber Network has transferred 1,000 WETH (worth $2.06 million) to an address ending in “adb4” on Arbitrum. This address had interacted with the attacker of Indexed Finance on Ethereum 705 days ago.

In October 2021, the passive income protocol Indexed Finance suffered an attack, resulting in a loss of $16 million.

The Kyberswap incident serves as a grave warning for the entire cryptocurrency trading industry, reminding all participants to remain vigilant and enhance security measures. With the continuous development of the crypto market, ensuring the security of trading platforms will become a focal point for the industry. The Kyberswap security incident has prompted deep contemplation in the industry regarding the security of decentralized trading platforms.

Facing increasingly complex security challenges, DEXs (decentralized exchanges) still need continuous innovation and improvement in their security techniques. This includes strengthening security audits of smart contracts, enhancing the ability to detect abnormal transactions, and developing more efficient emergency response mechanisms. Additionally, strengthening user education and awareness is also a crucial aspect in preventing security incidents. Users need to understand the relevant risks and take appropriate measures to protect their asset security.

As we wait for the hacker to wake up, will the negotiations with KyberSwap go smoothly? How will the hacker’s story come to an end? We will continue to follow the updates and report on them.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!