KyberSwap alerted users to a “security incident” on its platform, where an estimated $48 million worth of crypto has been drained so far.
Photo by Alberico Bartoccini on Unsplash
Posted November 23, 2023 at 12:39 am EST.
Multichain aggregator KyberSwap appeared to have been exploited late on Wednesday night, with multiple users reporting that millions of dollars’ worth of crypto was drained from the platform.
In an X post, the KyberSwap team notified users that it had suffered a “security incident” and urged users to withdraw their funds as a precautionary measure.
🚨Urgent🚨
Dear KyberSwap Elastic Users,
We regret to inform you that KyberSwap Elastic has experienced a security incident.As a precautionary measure, we strongly advise all users to promptly withdraw their funds. Our team is diligently investigating the situation, and we…
— Kyber Network (@KyberNetwork) November 22, 2023
“KyberSwap’s aggregator is not impacted and is operating fully as normal,” the team said in a follow up post.
According to Debank data, $48 million has been stolen so far, of which $20 million was in wrapped Ether (wETH) and $7 million was in Lido’s staked Ether (stETH) tokens.
Kyber being exploited on all chains rn. here’s an example tx on base. 20m+ lost already pic.twitter.com/gvv7M9HWH6
— Spreek (@spreekaway) November 22, 2023
Blockchain sleuth “@spreekaway” noted that the exploit took place on all chains, with $7.5 million on Polygon, $315,00 on Base, $15 million on Optimism, $2 million on Polygon and $20 million on Arbitrum.
According to Spreek, the exploit was not an approval based issue, but rather the Total Value Locked (TVL) held in Kyber’s liquidity pools. Data from DeFiLlama shows that Kyber’s TVL dropped 83% over the last few hours from $84 million to $14 million at the time of writing.
Spreek also highlighted a blockchain transaction with a message embedded from the hacker to Kyber’s developers, employees, DAO and liquidity providers that read “negotiations will start in a few hours when I am fully rested.”
The Kyber team appeared to have replied to the hacker with their own message, asking “how is Ontario this time of year,” likely implying that they traced the attackers IP address.
