Kyber Network, a decentralized exchange and liquidity protocol, has been exploited by an unknown attacker who drained over $20 million worth of tokens from its pools across multiple chains. The exploit was first reported by FXStreet and confirmed by Kyber on its official Twitter account.
According to Kyber, the exploit was caused by a bug in its permissionless reserve smart contract, which allowed the attacker to manipulate the prices of the tokens in the pools and arbitrage them for profit. The exploit affected the pools on Ethereum, Polygon, Binance Smart Chain, and Arbitrum.
The attacker used a flash loan of 7,500 ETH from dYdX to initiate the exploit, and then swapped the borrowed ETH for various tokens on Kyber at inflated prices. The attacker then sold the tokens on other platforms, such as Uniswap and SushiSwap, and repaid the flash loan with interest. The attacker repeated this process several times, exploiting different pools and chains, and ended up with a net profit of over $20 million.
The exploit was detected by PeckShield, a blockchain security firm, which alerted Kyber and helped them to stop the attack and prevent further losses. PeckShield also published a detailed analysis of the exploit, showing the transactions and the tokens involved.
How Kyber responded
Kyber said that it has paused all the affected pools and is working on a fix to prevent similar exploits in the future. Kyber also said that it will cover the losses of the liquidity providers and users who were affected by the exploit, and that it will provide more details on the compensation plan soon.
Kyber also urged its users to withdraw their funds from the pools as soon as possible, and to avoid using its services until the issue is resolved. Kyber also apologized for the inconvenience and thanked its community for their support.
Kyber is not the first decentralized exchange to suffer a multi-chain exploit this year. In September, Mixin Network, a cross-chain protocol, was hacked for $200 million, and offered the hacker a $20 million bug bounty to return the funds. However, the hacker did not respond to the offer, and Mixin said that it could only reimburse its users up to 50% of their losses.
What this means for the DeFi space
The exploit of Kyber Network highlights the risks and challenges of the decentralized finance (DeFi) space, especially for cross-chain protocols that operate on multiple blockchains. While cross-chain interoperability enables more liquidity and innovation, it also exposes the protocols to more attack vectors and vulnerabilities.
According to a report by Token Terminal, bridge exploits account for more than 50% of DeFi losses, and have resulted in losses of over $2.5 billion. The report also suggests that cross-chain protocols need to improve their security and auditing practices, and that users need to be more cautious and aware of the risks involved.
The exploit of Kyber Network also shows the importance of flash loans, which are uncollateralized loans that allow users to borrow and repay large amounts of funds within one transaction. Flash loans are often used for arbitrage, liquidations, and self-balancing, but they can also be used for malicious purposes, such as exploiting price discrepancies and draining liquidity pools. Flash loans have been involved in many of the major DeFi exploits, such as the ones on bZx, Harvest Finance, and Alpha Finance.
