The decentralized trade KyberSwap has provided a ten% bounty reward to the hacker who stole $46 million on Nov. 22 and left a word of negotiation. The trade desires 90% of the loot returned by 6am UTC on Nov.25.
On Nov. 23, KyberSwap alerted customers that its liquidity resolution, KyberSwap Elastic, was compromised and suggested them to withdraw funds. Within the meantime, on Nov. 22, the hacker made away with roughly $20 million in Wrapped Ether (wETH), $7 million in wrapped Lido-staked Ether (wstETH) and $4 million in Arbitrum (ARB). The hacker then siphoned the loot throughout a number of chains, together with Arbitrum, Optimism, Ethereum, Polygon and Base.
After hiding the stolen funds, the hacker wrote an on-chain message directed to KbyerSwap Builders, Workers, DAO members and LPs, stating, “Negotiations will begin in just a few hours when I’m totally rested.”
Following a day’s silence from each ends, KyberSwap responded to the hacker requesting the return of 90% of the stolen funds. The group acknowledged the talents of the hacker and laid down a suggestion:
“On the desk is a bounty equal to 10% of customers’ funds taken from them by your hack, for the secure return of all the customers’ funds. However we each know the way this works, so lets reduce to the chase so that you and these customers can all get on with life.”
If the hacker fails to pay again or reply to KyberSwap by 6am UTC, Nov. 25, “you keep on the run,” stated KyberSwap. The group is open to additional dialogue with the hacker by way of e mail.
A dissection of the latest KyberSwap hack by a decentralized finance (DeFi) professional means that the attacker used an ‘infinite cash glitch’ to empty funds.
Ambient trade founder Doug Colkitt defined the KyberSwap attacker relied on a “complicated and punctiliously engineered good contract exploit” to hold out the assault.
1/ Completed a preliminary deep dive into the Kyber exploit, and suppose I now have a reasonably good understanding of what occurred.
That is simply essentially the most complicated and punctiliously engineered good contract exploit I’ve ever seen…
— Doug Colkitt (@0xdoug) November 23, 2023
The attacker then repeated this exploit towards different Kyberswap swimming pools on a number of networks, finally getting away with $46 million in crypto loot.