Exploit of KyberSwap's Concentrated Liquidity Feature Results in $46 Million Loss

blockchain.news:

On November 23, 2023, the decentralized finance (DeFi) space was shaken by a meticulously planned exploit of KyberSwap, a leading decentralized exchange (DEX). The exploit, which Doug Colkitt, creator of Ambient exchange, characterized as «the most complex and carefully engineered» he had ever seen, resulted in a loss of approximately $46 million.

To grasp the exploit's intricacy, one must first understand 'concentrated liquidity.' This feature, common across DEXs like KyberSwap, Uniswap, and Ambient, allows liquidity providers to allocate their assets within specific price ranges, enhancing capital efficiency. However, this mechanism also introduces unique vulnerabilities, as exploited in this incident.

The attacker's strategy revolved around the Ethereum ETH/wstETH pool on KyberSwap. Starting with a flash loan of 10,000 wstETH (worth about $23 million), the attacker manipulated the pool's price dynamics. By injecting 2,800 wstETH ($6 million) into the pool, they significantly skewed the ETH to wstETH price ratio. This action moved the pool's price to a range with virtually no existing liquidity, setting the stage for the exploit.

With the pool's price artificially altered, the attacker then minted a small amount of liquidity in a narrowly defined price range. Following this, they executed two crucial swaps. The first swap involved selling a large quantity of wstETH for a minimal amount of ETH, drastically pushing the price down. The second swap reversed this, buying back a more significant amount of wstETH for a fractionally higher amount of ETH. This series of transactions should have, under normal circumstances, resulted in negligible net gains due to the self-contained nature of the trades.

However, due to a