Kyberswap Hack Analysis
Kyberswap Hack Analysis
On November 23, 2023, Kyberswap suffered an attack due to tick manipulation and the counting of liquidity twice, already leading to an approximate loss of over 40M USD.
Smart Contract Hack Overview:
Brief Description:
- The root cause for exploitation at KyberSwap resulted from manipulative actions involving tick adjustments(aligning the system state to have the currentTick on a valid tick range boundary with nearestCurrentTick being currentTick — 1)
- Liquidity was then minted in the range (currentTick, currentTick + n) for a specific n.
- During a one-for-zero swap in this state, the nearestCurrentTick was erroneously calculated as currentTick — 1 instead of the next initialized tick This miscalculation led to unintended consequences, causing the recently added liquidity to be duplicated.
- Prior to minting, crossing the tick boundary had added L0 liquidity.Minting introduced L1 liquidity, but it also added liquidity to the tick range.
- Crossing the tick boundary subsequently resulted in the addition of L0 + L1 liquidity.Executing a small one-for-zero swap across the tick boundary compounded the issue.In total, L1 + L0 + L1 liquidity was inadvertently added due to the combined effects of minting and crossing ticks, where two ticks were incorrectly considered the same in the calculation.
Decoding the Smart Contract Vulnerability:
- The exploitation at KyberSwap resulted from manipulative actions involving tick adjustments and the counting of liquidity twice.
- The attackers employed a flash loan to deplete pools characterized by low liquidity.
- Through the execution of swaps and strategic position changes, they tampered with the prevailing prices and ticks within the targeted pools.
- The attackers initiated multiple swap steps and cross-tick operations to induce double liquidity counting.
- As a consequence, the pools were effectively drained by this orchestrated sequence of actions.
Mitigation and Best Practices:
- Always validate your code by writing comprehensive test cases that cover all the possible business logic.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Conclusion:
SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord