Kyber swap elastic breach

On November 23, 2023, KyberSwap, a decentralized trading platform on Ethereum, was hacked, resulting in the theft of approximately $54.7 million in tokens, including USDC, WETH, and WBTC, across multiple blockchains, as reported by SlowMist. Detected at 02:00 UTC, the attack exploited a vulnerability in KyberSwap Elastic’s Reinvestment Curve, where the calcReachAmount function overestimated token amounts due to compounded fee liquidity, causing the price (sqrtP) to overshoot the boundary tick (111310) without updating liquidity via _updateLiquidityAndCrossTick, per SlowMist. Attackers, using addresses like 0x50275e0b7261559ce1644014d4b78d4aa63be836, executed a flash loan from AAVE, manipulated liquidity in the frxETH/WETH pool, and profited ~9 WETH per reverse swap, stealing $20.29 million on Arbitrum, $15.64 million on Optimism, and $7.58 million on Ethereum, per MistTrack.

KyberSwap, with $300 million in total value locked per DefiLlama, paused operations and urged users to withdraw funds, per Twitter (@KyberNetwork). Initial funds from Tornado Cash and FixedFloat were traced, but no stolen assets were recovered, with most untouched, per SlowMist.

One of 299 DeFi hacks in 2023, costing $2.6 billion, per Chainalysis, the incident, following Curve’s $47 million loss, fueled calls for rigorous boundary condition testing, audited liquidity models, and real-time smart contract monitoring to secure DeFi platforms.