On November 23, 2023, the decentralized finance (DeFi) space was shaken by a meticulously planned exploit of KyberSwap, a leading decentralized exchange (DEX). The exploit, which Doug Colkitt, creator of Ambient exchange, characterized as “the most complex and carefully engineered” he had ever seen, resulted in a loss of approximately $46 million.
To grasp the exploit’s intricacy, one must first understand ‘concentrated liquidity.’ This feature, common across DEXs like KyberSwap, Uniswap, and Ambient, allows liquidity providers to allocate their assets within specific price ranges, enhancing capital efficiency. However, this mechanism also introduces unique vulnerabilities, as exploited in this incident.
The attacker’s strategy revolved around the Ethereum ETH/wstETH pool on KyberSwap. Starting with a flash loan of 10,000 wstETH (worth about $23 million), the attacker manipulated the pool’s price dynamics. By injecting 2,800 wstETH…
