Audits
Services
Services
Smart Contract Audit
Blockchain Protocol Audit
Penetration Testing
Cloud Penetration Testing
dApp Audit
Crypto Wallet Audit
Cross-Chain Bridge Audit
Bug Bounty
Proof of Reserves
CCSS Audit
Tokenomics Audit & Design
Smart Contract Audit
Mitigate weaknesses in your smart contract and improve its functionality with a double line-to-line code analysis and a separate review by a lead auditor.
Blockchain Protocol Audit
Secure the entire architecture and implementation layers of your blockchain protocol with professional security audits and testing.
Penetration Testing
Proactively detect vulnerabilities in your Web3 project by subjecting your systems to a simulated cyberattack in a secure and controlled environment.
Cloud Penetration Testing
Secure your cloud with Hacken's expert penetration testing. Our certified team delivers tailored security solutions for AWS, Azure, Kubernetes, and more, ensuring your data's safety.
dApp Audit
Identify vulnerabilities in applications interacting with blockchain networks with secure code review and static security analysis.
Crypto Wallet Audit
Code review & static security analysis for crypto wallet apps.
Cross-Chain Bridge Audit
Code review & security analysis for cross-chain crypto bridges.
Bug Bounty
Receive only relevant bug reports or undergo crowdsourced penetration testing with the help of thousands of ethical hackers curated by HackenProof.
Proof of Reserves
Enhance transparency in crypto exchanges with independent on-chain proof of assets’ true collateralization.
CCSS Audit
Assess and strengthen your security practices, identify vulnerabilities, and safeguard valuable digital assets in the ever-evolving cryptocurrency landscape.
Tokenomics Audit & Design
Ensure your token model robustness and efficiency and convey trust to investors and community with our thorough, independent audit of protocol economic security.
Solutions
Post-deployment security solution
Hacken Extractor
Real-time smart contract protection from assets loss
Learn more
Solutions
Featured ecosystems:
Ethereum (EVM)
BSC
Polygon
Near
Avalanche
Fantom
Aptos
Sui
Optimism
zkSync
Arbitrum
Solana
Polkadot
Cosmos
Radix
Linea
MetaMask
Others
By Languages:
Solidity
Rust
Move
Blog
Company
Company

KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit

KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit

2 minutes

KyberSwap, a multi-chain DEX aggregator, fell victim to a smart contract reentrancy attack on November 23, 2023. The exploit led to a loss of approximately $47 million across multiple networks and a 90% drop in TVL.

Let’s take a closer look.

Inside the Attack

Exploiter Wallet

Address: 0xc9b826bad20872eb29f9b1d8af4befe8460b50c6
Role: Central node in the attack, receiving and redistributing the stolen funds.

Key Transactions

Attack Impact Across Networks

Arbitrum: $20M
Optimism: $15M
Kyber Mainnet: $7.5M
Polygon: $2M
Base: $315K

Total Value Locked dropped 90% from $84.9M to $8.28M million on the day of the hack, which exemplifies the profound impact of smart contract vulnerabilities. Initially, the exploit led to the direct loss of $49M. Subsequently, KyberNetwork’s recommendation resulted in an additional $27M being withdrawn by users.

The Flaw: Reentrancy in the Mint Function

The core of the exploit was most likely a vulnerability in the mint function of KyberSwap’s new v2 reinvestment token (KS2-RT). This implementation contained some sort of mint callback, which might have created a loophole for reentrancy attacks.

Vulnerable Contract

KS2-RT: Smart Contract Tracker

Note: If other KyberSwap forks aren’t implementing this v2 reinvestment schema, they are probably not vulnerable.

Kyber Network’s Response

Kyber Network, in a swift reaction to the breach, issued an urgent advisory to users, urging them to withdraw their funds as a precautionary measure. The team is actively investigating the incident to understand its full scope and implement necessary security measures.

Lessons Learned: Securing DEXs

This incident underscores the need for rigorous security protocols in DeFi platforms, particularly in the management and implementation of smart contracts. The reentrancy vulnerability exploited in this case highlights the critical importance of:

Thorough Auditing: Regular and comprehensive smart contract audits to identify potential vulnerabilities, especially when upgrading functions.
Real-Time Monitoring: Continuous monitoring of network activity to detect and respond to suspicious transactions.
Best Practices in Development: Adherence to secure coding practices and learning from past incidents to prevent similar exploits.

Follow @hackenclub on 𝕏 (Twitter)

Conclusion: Fortifying DeFi’s Future

The KyberSwap attack serves as a reminder of the constant threats in the DeFi ecosystem. As we navigate this dynamic landscape, it’s imperative for all stakeholders to adopt a security-first approach, continuously enhancing their defenses against sophisticated exploits. This proactive stance is crucial in maintaining trust and stability in the world of decentralized finance.

Stay updated with the latest in blockchain security.

Subscribe
to our newsletter

Be the first to receive our latest company updates, Web3 security insights, and exclusive content curated for the blockchain enthusiasts.

Table of contents

→Inside the Attack
→Lessons Learned: Securing DEXs
→Conclusion: Fortifying DeFi’s Future

Tell us about your project

KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit