Hacker drains KyberSwap Elastic Pools of about $47 million

KyberSwap representatives said that the Elastic Pools liquidity pool was breached, with the hacker withdrawing around $47 million from the protocol.

?Urgent?

Dear KyberSwap Elastic Users,
We regret to inform you that KyberSwap Elastic has experienced a security incident.

As a precautionary measure, we strongly advise all users to promptly withdraw their funds. Our team is diligently investigating the situation, and we…

— Kyber Network (@KyberNetwork) November 22, 2023

“As a precautionary measure, we strongly urge all users to promptly withdraw their funds,” the project team warned.

The first to detect the hack was user X under the alias Spreek, pointing to a suspicious withdrawal.

Kyber being exploited on all chains rn. here’s an example tx on base. 20m+ lost already pic.twitter.com/gvv7M9HWH6

— Spreek (@spreekaway) November 22, 2023

According to his calculations, the stolen assets include $7.5 million on the Ethereum network, $15 million on Optimism, $16 million on Arbitrum, $2.8 million on Polygon, and $870,000 on Base.

The hacker also left a message with the transaction:

“Dear KyberSwap developers, staff, members DAO and partners, negotiations will begin in a few hours once I have fully rested. Thank you.”

Adam Cochran, general partner at Cinneamhain Ventures, believes the exploit was possible thanks to the use of flash loans and “some mathematical calculations.” He arrived at this conclusion because each attacker transaction began with ETH arriving to pay for the swap.

Looks like the Kyber exploits is flash loans and some sort of math/rounding issue.

Each tx is starting with an ETH balance coming in, looped mint/redeem/swap.

So likely not a risk to approvals from non-LPs but worth staying frosty

— Adam Cochran (adamscochran.eth) (@adamscochran) November 22, 2023

Earlier unknown withdrawn $25 million in cryptocurrencies from the Taiwan-based Kronos Research trading platform.

Earlier on November 22, Justin Sun reported a hack on HTX’s hot wallet and the cross-chain bridge Heco Bridge. Experts estimate the damage at over $110 million.