November most ‘damaging’ month in 2023 as thieves pilfer $363M in crypto

December 1, 2023 Coin Telegraph

November most ‘damaging’ month in 2023 as thieves pilfer 3M in crypto

certik

The Poloniex and HTX/Heco Bridge exploits as well as the KyberSwap flash loan attack were the three largest incidents in November, according to blockchain security firm CertiK.

The cryptocurrency industry has now seen its most “damaging” month for crypto thievery, scams and exploits, with crypto criminals walking away with $363 million in November, according to a blockchain security firm.

Around $316.4 million came from exploits alone, flash loans inflicted $45.5 million in damage, and $1.1 million was lost to various exit scams, CertiK stated in a Nov.

#CertiKStatsAlert

Combining all the incidents in November we’ve confirmed ~$363M lost to exploits, hacks and scams

This makes November the most damaging month this year

Exit scams were ~$1.1M

Flash loans were ~$45.5M

Exploits were ~$316.4M

See more details below pic.twitter.com/QoDy6d8IJH
— CertiK Alert (@CertiKAlert) November 30, 2023

The largest exploits in November occurred on Poloniex and HTX/Heco Bridge, with losses of $131.4 million and $113.3 million, respectively.

The third largest exploit was inflicted on a single victim who lost $27 million from a phishing attack.

Meanwhile, the $45 million KyberSwap attack accounted for nearly all damage done for flash loan attacks in the month.

The latest monthly figure has surpassed an earlier record of $329 million, set in September, caused mainly by the $200 million Mixin Network attack.

As of the end of November, about $1.7 billion has now been lost to exploits, exit scams and flash loan attacks in 2023.

KyberSwap DEX hacker sends an on-chain message: Be nice, or else

November 29, 2023 Coin Telegraph

Bounty Deal

The exploiter behind the $46 million KyberSwap hack says they plan to outline a treaty for the potential return of funds on Nov. 30, but not if threats and hostilities from execs keep up.

The exploiter behind the $46 million crypto theft against KyberSwap has demanded its execs and tokenholders ease up on the hostilities, threatening to push out negotiations until everyone is “more civil.”

In an on-chain message addressed to KyberSwap executives, tokenholders and liquidity providers on Nov. 28, the exploiter said they plan to release a statement around a potential treaty with KyberSwap on Nov. 30 — but won’t do it if hostilities continue.

“I said I was willing to negotiate. In return, I have received (mostly) threats, deadlines, and general unfriendliness from the executive team,” they said.

“Under the assumption that I am treated with further hostility, we can reschedule for a later date, when we all feel more civil,” they warned.

The @KyberNetwork exploiter sent the team another message! pic.twitter.com/DnuKUWjFMn
— Officer's Notes (@officer_cia) November 28, 2023

The team behind KyberSwap — a cross-chain decentralized exchange — initially suggested a bounty deal where the hacker returns 90% of the funds across all exploits, allowing the hacker to keep the remaining 10%.

But they followed up with a threat to pursue legal action after the hacker didn’t comply straight away.

“We have reached out to law enforcement and cybersecurity on this case. We have your footprints to track you,” the KyberSwap team said in a Nov. 25 on-chain message, adding:

“So it's better for you if you take the first offer from our previous message before law enforcement and cybersecurity track you down.”

KyberSwap also told the hacker they would initiate a public bounty program to incentivize anyone providing information to support law enforcement that may lead to their arrest and the recovery of user funds.

The team behind KyberSwap has already managed to recover $4.67 million from the $46 million exploit on Nov. 26 from operators of front-running bots, which managed to extract around $5.7 million in crypto from KyberSwap pools on the Polygon and Avalanche networks.

The team hasn’t yet responded to the exploiter’s latest message on X (formerly Twitter) and is presumably waiting to see the new treaty proposed by the hacker.

A day after the Nov. 22 hack, decentralized finance pundit Doug Colkitt said the attacker used an “infinite money glitch” to carry out a “complex and carefully engineered smart contract exploit” across several networks implementing KyberSwap pools.

Funds were exploited from Avalanche, Polygon and Ethereum and layer-2 networks Arbitrum, Optimism and Base.

KyberSwap runs on Kyber Network, a blockchain-based liquidity hub that aggregates liquidity across different blockchains and enables the exchange of tokens without an intermediary.

Magazine: This is your brain on crypto: Substance abuse grows among crypto traders

Kyber Network Crystal Dips As KyberSwap DeFi Platform Drained $46,500,000 in Ethereum, Arbitrum and Other Assets

November 23, 2023 The Daily Hodl

KyberSwap attacker used ‘infinite money glitch’ to drain funds: DeFi expert

November 23, 2023 Coin Telegraph

ambient

By exploiting a bug, the attacker caused liquidity to be "double counted," allowing them to get an unfair price for a swap.

The attacker who drained $46 million from KyberSwap relied on a “complex and carefully engineered smart contract exploit” to carry out the attack, according to a social media thread by Ambient exchange founder Doug Colkitt.

Colkitt labeled the exploit an “infinite money glitch.” According to him, the attacker took advantage of a unique implementation of KyberSwap’s concentrated liquidity feature to “trick” the contract into believing it had more liquidity than it did in reality.

1/ Finished a preliminary deep dive into the Kyber exploit, and think I now have a pretty good understanding of what happened.

This is easily the most complex and carefully engineered smart contract exploit I've ever seen...
— Doug Colkitt (@0xdoug) November 23, 2023

Most decentralized exchanges (DEXs) provide a “concentrated liquidity” feature, which allows liquidity providers to set a minimum and maximum price at which they would offer to buy or sell crypto. According to Colkitt, this feature was used by the KyberSwap attacker to drain funds. However, the exploit “is specific to Kyber's implementation of concentrated liquidity and probably will not work on other DEXs,” he said.

The KyberSwap attack consisted of several exploits against individual pools, with each attack being nearly identical to every other, Colkitt said. To illustrate how it worked, Colkitt considered the exploit of the ETH/wstETH pool on Ethereum. This pool contained Ether (ETH) and Lido Wrapped Staked Ether (wstETH).

The attacker began by borrowing 10,000 wstETH (worth $23 million at the time) from flash loan platform Aave, as shown in blockchain data. According to Colkitt, the attacker then dumped $6.7 million worth of these tokens into the pool, causing its price to collapse to 0.0000152 ETH per 1 wstETH. At this price point, there were no liquidity providers willing to buy or sell, so liquidity should have been zero.

The attacker then deposited 3.4 wstETH and offered to buy or sell between the prices of 0.0000146 and 0.0000153, withdrawing 0.56 wstETH immediately after the deposit. Colkitt speculated that the attacker may have withdrawn the 0.56 wstETH to “make the subsequent numerical calculations line up perfectly.”

After making this deposit and withdrawal, the attacker performed a second and third swap. The second swap pushed the price to 0.0157 ETH, which should have deactivated the attacker’s liquidity. The third swap pushed the price back up to 0.00001637. This, too, was outside of the price range set by the attacker’s own liquidity threshold, as it was now above their maximum price.

Theoretically, the last two swaps should have accomplished nothing, as the attacker was buying and selling into their own liquidity, since every other user had a minimum price set far below these values. “In the absence of a numerical bug, someone doing this would just be trading back and forth with their own liquidity,” Colkitt stated, adding, “and all the flows would net out to zero (minus fees).”

However, due to a peculiarity of the arithmetic used to calculate the upper and lower bound of price ranges, the protocol failed to remove liquidity in one of the first two swaps but also added it back during the final swap. As a result, the pool ended up “double counting the liquidity from the original LP position,” which allowed the attacker to receive 3,911 wstETH for a minimal amount of ETH. Although the attacker had to dump 1,052 wstETH in the first swap to carry out the attack, it still enabled them to profit by 2,859 wstETH ($6.7 million at today’s price) after paying back their flash loan.

The attacker apparently repeated this exploit against other KyberSwap pools on multiple networks, eventually getting away with a total of $46 million in crypto loot.

According to Colkitt, KyberSwap contained a failsafe mechanism within the computeSwapStep function that was intended to prevent this exploit from being possible. However, the attacker managed to keep the numerical values used in the swap just outside of the range that would cause the failsafe to trigger, as Colkitt stated:

“[T]he ‘reach quantity’ was the upper bound for reaching the tick boundary was calculated as ...22080000, whereas the exploiter set a swap quantity of ...220799999[.] That shows just how carefully engineered this exploit was. The check failed by <0.00000000001%.”

Colkitt called the attack “easily the most complex and carefully engineered smart contract exploit I've ever seen.”

As Cointelegraph reported, KyberSwap was exploited for $46 million on Nov. 22. The team discovered a vulnerability on Apr. 17, but no funds were lost in that incident. The exchange's user interface was also hacked in September last year, although all users were compensated in that incident. The Nov. 22 attacker has informed the team they are willing to negotiate to return some of the funds.

KyberSwap DEX exploited for $46 million, TVL tanks 68%

November 23, 2023 Coin Telegraph

KyberSwap DEX exploited for million, TVL tanks 68%

Coin Telegraph

The DEX aggregator has been exploited across multiple blockchains with millions in wrapped Ether and other assets stolen.

Around $46 million in various crypto assets has seemingly been drained from the decentralized KyberSwap exchange in the latest decentralized finance exploit.

On Nov. 23, the Kyber Network team alerted its users stating in an X (Twitter) post that KyberSwap Elastic “has experienced a security incident.”

It advised users to withdraw their funds as a precaution and added it was investigating the situation.

Urgent

Dear KyberSwap Elastic Users,
We regret to inform you that KyberSwap Elastic has experienced a security incident.

As a precautionary measure, we strongly advise all users to promptly withdraw their funds. Our team is diligently investigating the situation, and we…
— Kyber Network (@KyberNetwork) November 22, 2023

Blockchain sleuths highlighted the impacted and exploiter wallet addresses, which were still recently active.

According to Debank data, around $46 million has been pilfered in the attack, including roughly $20 million in wrapped Ether (wETH), $7 million in wrapped Lido-staked Ether (wstETH), and $4 million in Arbitrum (ARB).

The funds were split across multiple chains, including Arbitrum, Optimism, Ethereum, Polygon, and Base.

Kyberswap is being drained, several sources report.

If you have assets, withdraw pic.twitter.com/Y5ooYYzcTd
— olimpio (@OlimpioCrypto) November 22, 2023

In an X post, blockchain sleuth “Spreek” said he was “fairly sure this is NOT an approval-related issue and is only related to the TVL held in the Kyber pools themselves.”

The attacker has also left an on-chain message for protocol developers and DAO members, saying “negotiations will start in a few hours when I am fully rested.”

DefiLlama data shows KyberSwap’s total value locked (TVL) tanked by 68% over a few hours and almost $78 million left the protocol due to the hack and user withdrawals. Its TVL currently stands at $27 million, down from its 2023 peak of $134 million.

*A chart of KyberSwap’s total value locked. Source: DefiLlama*

Kyber Network Crystal KNC token prices briefly dipped 7% as news of the exploit broke but have since recovered to trade at $0.74.

The team identified a vulnerability in April, advising users to withdraw liquidity. However, no funds were lost in that incident.

Magazine: Should crypto projects ever negotiate with hackers? Probably

LidoDAO launches official version of wstETH on Base

November 8, 2023 Coin Telegraph

Beefy Finance

LidoDAO took control of the deployment for a wrapped version of its flagship token, stETH, on Base.

Lido’s governing body has approved the deployment of Lido’s Wrapped Staked Ether (wstETH) to Coinbase’s Base network, according to a Nov. 8 announcement. The token is now live and can be traded or used in decentralized finance (DeFi) applications on the Base network.

Lido is on @BuildOnBase

You can now bridge your staked ETH to Base. https://t.co/JmmFeVwNnN pic.twitter.com/R9vN2XGs2g
— Lido (@LidoFinance) November 8, 2023

Lido is a liquid staking protocol that allows users to stake some cryptocurrencies while simultaneously using them in DeFi applications. It does this by issuing a derivative token that can be redeemed for the underlying staked one.

In the case of Ethereum’s native coin, Ether (ETH), the derivative token is called “Lido taked Ether (stETH),” which exists on the Ethereum network. When it is sent to other networks through a bridge, it has to first be wrapped, creating a double derivative token called “Wrapped Staked Ether (wstETH).” Before Nov. 8, no official version of wstETH existed on the Base network.

On Oct. 17, Kyberswap announced that the Beefy Finance team had deployed an unofficial version of wstETH on Base. The two teams offered a proposal for the DAO to take control and accept ownership of this version, so as to officially endorse it.

The DAO approved the proposal on Nov. 2 after 597 million votes were cast in favor of it and 255 were cast against it.

“The availability of wstETH on Base marks a major milestone in the journey to scaling wstETH adoption,” LidoDAO contributor Marin Tvrdić stated. “Expanding the protocol’s network of compatible L2s bridges the gap between scalability limitations and the growing demand for decentralized staking to benefit the broader Ethereum ecosystem.”

Although this particular deployment received support from LidoDAO members, not all versions of wstETH have been accepted as official. LayerZero launched a version of wstETH for Avalanche, BNB Chain, and Scroll that drew criticism from multiple protocols for allegedly being “proprietary.” That version is still being debated by the DAO, and no vote has yet been taken on it.

Binance CEO Changpeng Zhao Says Crypto Titan Has Unmasked Two Suspects Involved in $265,000 DeFi Hack

September 5, 2022 The Daily Hodl

Binance identifies KyberSwap hack suspects, involves law enforcement

September 3, 2022 Coin Telegraph

Binance

Based on an independent investigation, Binance’s security team identified two suspects that may be responsible for orchestrating the virtual heist of $265,000 on KyberSwap.

Helping investigate a $265,000 hack on decentralized crypto exchange KyberSwap, crypto exchange Binance narrowed down two suspects that seem responsible for the attack.

On Sept. 1, Kyber Network succumbed to a frontend exploit, allowing the attacker to make away with $265,000 worth of user funds from KyberSwap. While investigations were underway, KyberSwap offered a 10% bounty — of roughly $40,000 — to the hacker as means to remediate the situation.

Parallelly, based on an independent investigation, Binance’s security team identified two suspects that may be responsible for orchestrating the virtual heist. Binance CEO Changpeng ‘CZ’ Zhao confirmed that the intel had been sent to the Kyber team.

#Binance security team has identified two suspects for yesterday's KyberSwap hack. We have provided the intel to the Kyber team, and are coordinating with LE (law enforcement).

Stay #SAFU. https://t.co/tbQBGaGTNG
— CZ Binance (@cz_binance) September 3, 2022

Binance has also begun coordinating with law enforcement as efforts from both ends continue to corner the hackers.

Being the biggest crypto exchange in terms of trading volume, Binance’s proactive and selfless effort to help investors from other ecosystems didn't go unnoticed, as one of the community members pointed out:

“Binance is now playing the role of a big brother in the crypto space. Binance has gone beyond securing its platform to securing the entire crypto ecosystem.”

If Binance’s investigation checks out, KyberSwap investors may be witness to a rare community-driven hack redemption.

CZ recently retaliated against rumors and false allegations that Binance was a Chinese-based “criminal entity” that “secretly [belongs] in the pocket of the Chinese government.”

While explaining his long-time ties to Chinese entrepreneurs and colleagues, he added:

“The greatest challenge that Binance faces today is that we (and every other offshore exchange) have been designated a criminal entity in China. At the same time, our opposition in the west bends over backward to paint us as a ‘Chinese company.’”

CZ confirmed that Binance has never been legally incorporated in China and never operated like a Chinese company culturally either.

Kyber Network offers bounty following $265K hack of decentralized exchange

September 2, 2022 Coin Telegraph

Kyber Network offers bounty following 5K hack of decentralized exchange

Business

"As a bug bounty, we are offering you 15% of the funds if you return it and have a conversation with our team," said Kyber Network.

KyberSwap, the decentralized exchange built on liquidity protocol Kyber Network, has offered a hacker 15% of the funds from a $265,000 exploit as a bug bounty.

In a Thursday blog post, Kyber Network said a hacker had used a frontend exploit to pilfer roughly $265,000 worth of user funds from KyberSwap. The protocol said it will compensate all users for any missing funds related to the exploit, and directly addressed the hacker to give them an opportunity to return the funds in exchange for “a conversation with our team” and 15% of what was taken — roughly $40,000.

“We know the addresses you own have received funds from central exchanges and we can track you down from there,” said Kyber Network. “We also know the addresses you own have OpenSea profiles and we can track you through the NFT communities or directly through OpenSea. As the doors of exchanges close upon you, you will not be able to cash out without revealing yourself.”

1/ ❗️Notice of Exploit of KyberSwap Frontend:

We identified and neutralized an exploit on the KyberSwap frontend. Affected users will be compensated. We have summarized the details in this thread⬇️
— Kyber Network (@KyberNetwork) September 1, 2022

Kyber Network reported shutting down its frontend following the discovery of a “suspicious element” at 8:24 AM UTC on Sept. 1. The platform disabled its user interface and found “a malicious code” in its Google Tag Manager, which targeted “whale wallets with large amounts,” giving the hacker the ability to transfer funds to different addresses. According to Kyber Network co-founder Loi Luu, this was the first hack on the protocol in five years.

“The attack was identified and put a stop to after 2 hours of investigations,” said Kyber Network. “This attack was an FE exploit and there is no smart contract vulnerability.”

Hackers have used exploits to execute attacks on many decentralized finance protocols, including $100 million being removed from the Horizon Bridge in June and draining $200 million worth of crypto from the Nomad token bridge in August. Cointelegraph reported on Aug. 11 that the overwhelming majority of attackers responsible for the Nomad bridge hack copied the original exploit, directing funds to addresses they chose.

KyberSwap’s Trending Soon Feature Helps You Find Today the Tokens Everyone Will be Talking About Tomorrow

May 26, 2022 Bitcoin.com

KyberSwap

Share this video