TL;DR
On November 23, 2023, the Kyber Network was exploited across six different chains due to a smart contract vulnerability, which resulted in a loss of approximately $48.3 million worth of assets.
Introduction to Kyber Network
Kyber Network is a hub of liquidity protocols that aggregates liquidity from various sources to provide instant transactions on any dApp.
Vulnerability Assessment
The root cause of the exploit is tick manipulation and double liquidity counting.
Attack Scenario
As seen in one of the attack transactions, the exploiter borrowed a substantial amount of flash-loan and then proceeded to drain the pools with low liquidity.
They manipulated the current prices and ticks of the affected pools by executing swaps and altering positions.
The attacker then triggered multiple swap steps and cross-tick operations, resulting in double liquidity counting and consequently draining the pools.
Attack Simplified
Now, as explained in detail here, let’s try to decipher the attack in simpler terms by referencing two of our favorite characters: Alice and Bob.
Kyber, as with Uniswap V3, divides the liquidity of their pool between specific prices, known as ticks.
Liquidity providers can specify a range to execute their trade. Liquidity providers assert that their liquidity should only be used to execute a trade when the price of an asset falls within the specified range.
As each liquidity provider can specify their own range, liquidity at any point in time is essentially a patchwork of different LP ranges.
In this example, Bob specifies the liquidity for a certain trade as the ticks of $1500-$1700 worth per ETH, while Alice specifies the ticks of $1000-$1600.
Alice puts in 8 ETH, and Bob puts in 10 ETH.
When the price of ETH is at $1400, there is 8 ETH worth of liquidity in the pool that comes from Alice’s end. And, when the price of ETH is at $1500, there’s 18 ETH worth of liquidity as the price also crossed the tick and fell into Bob’s range.
In order to make this patchwork system work, there’s a mechanism for adding or removing how much total liquidity is available from liquidity providers to a trader at a given tick.
It means that, when the price of ETH moves from $1499 to $1500, the pool adds 10 ETH from Bob to the available liquidity for the trader, now totaling 18 ETH.
If the price of ETH goes back to $1499 from $1500, it crosses the ticks set by Bob, thus the pool removes his 10 ETH of liquidity from the available liquidity for the trader, now totaling 8 ETH only.
If the pool counted only the ticks that crossed forward, this swap would execute differently.
When the price of ETH crosses from $1499 to $1500, it will correctly add 10 ETH worth of liquidity from Bob to the total supply for the trader, now totaling 18 ETH. But if the price of ETH goes back to $1499 from $1500, it doesn’t remove his liquidity from the pool.
In this situation, even when the tick is outside of Bob’s range, the total ETH of liquidity available is still 18 ETH by inaccurately counting Bob’s liquidity.
When the price of ETH reaches $1499 and then increases to $1500, the forward tick adds Bob’s liquidity worth 10 ETH back to the pool, resulting in the pool overseeing a total liquidity of 28 ETH.
This continues until the total liquidity is out of sync with reality. At this point, the attacker is able to buy tokens at a massively deflated price and then sell those tokens on other markets where the liquidity is still in sync.
The attacker kept triggering the forward tick and adding fake liquidity without actually triggering the back tick. The difference between the tick bound and price change calculation for trade execution was less than 0.00000000001%.
Aftermath
The team acknowledged the occurrence of the exploit and stated that KyberSwap Elastic experienced a security incident. They advised all of their users to promptly withdraw their funds while the team looked forward to investigating the issue in detail.
Their concentrated liquidity protocol saw its TVL fall from roughly $71.11 million to a bit over $2 million.
The stolen assets across the multiple chains include:
$7.5 million on the Ethereum Mainnet
$20 million on Arbitrum
$15 million on Optimism
$315,000 on Base Network
$2 million on Polygon
$23,497 on Avalanche
The exploiter has transferred approximately 1,000 WETH, worth $2.06 million, to this address on Arbitrum. This address had previously interacted with the Indexed Finance exploiter on the Ethereum Mainnet.
Approximately 500 WETH has been transferred to yet another address on Arbitrum, followed by bridging 300 WETH to the same address on ETH. At the time of this writing, this hacker’s address has accumulated approximately $43,356,351 worth of stolen assets.
This address of the hacker, who made around $46 million worth of funds, initially utilized funds from Tornado Cash on Ethereum Mainnet and then leveraged bridges and Fixed Float to transfer funds to other chains for launching the attack.
The hacker apparently has on-chain flair, as they showed each step of their exploit execution through event logs.
The exploiter also sent an on-chain message to the team upon the attack’s completion, stating that the negotiations will start in a few hours when they are fully rested.
Solution
To address and mitigate risks similar to those seen in the Kyber Network exploit, a tailored solution would encompass several key strategies, each focusing on a specific aspect of smart contract security and resilience.
The cornerstone of this solution would be in-depth and comprehensive code audits. Unlike conventional audits, these would delve deeply into the contract’s logic, examining how different components interact under a range of conditions, including edge cases. These audits would focus on identifying potential vulnerabilities by subjecting the contract to unusual market behaviors, such as drastic price fluctuations or low liquidity scenarios.
An essential part of the testing regime would be invariant testing. This approach is critical for ensuring that the contract maintains certain fundamental truths or conditions (invariants), irrespective of external factors. For instance, in a liquidity pool, the invariant might be that the total liquidity should always equal the sum of the individual contributions. Automated testing frameworks that continuously check these invariants would provide an ongoing assessment of the contract’s integrity.
Back-and-forth testing, or state testing, would also play a crucial role. This process involves altering the state of the contract — for example, changing the price of assets within a liquidity pool — and then reverting it to verify that the contract behaves as expected. Such testing could have been instrumental in identifying the specific manipulation of liquidity pools exploited in the Kyber Network incident.
Utilizing formal verification tools would further strengthen the security framework. These tools provide mathematical proofs to verify the correctness of the contract’s algorithms, offering a higher level of confidence in their resilience against unexpected behaviors.
Finally, the solution would include the implementation of continuous monitoring and real-time anomaly detection systems. DeFi platforms are dynamic environments where new threats can emerge quickly. Real-time monitoring can help in promptly detecting and responding to unusual activities indicative of potential exploits.
Source : Medium / Nov 25, 2023