The attacker who drained $46 million from KyberSwap relied on a “complex and carefully engineered smart contract exploit” to carry out the attack, according to a social media thread by Ambient exchange founder Doug Colkitt.
Colkitt labeled the exploit an “infinite money glitch.” According to him, the attacker took advantage of a unique implementation of KyberSwap’s concentrated liquidity feature to “trick” the contract into believing it had more liquidity than it did in reality.
1/ Finished a preliminary deep dive into the Kyber exploit, and think I now have a pretty good understanding of what happened.
This is easily the most complex and carefully engineered smart contract exploit I’ve ever seen…
— Doug Colkitt (@0xdoug) November 23, 2023
Most decentralized exchanges (DEXs) provide a “concentrated liquidity” feature, which allows liquidity providers to set minimum and maximum prices at which they would offer to buy or sell crypto. According to Colkitt, this feature was used by the KyberSwap attacker to drain funds. However, the exploit “is specific to Kyber’s implementation of concentrated liquidity and probably will not work on other DEXs,” he said.
The KyberSwap attack consisted of several exploits against individual…
