This repo contains the details of an exploit that drains 82.37% of the Elastic pool for wstETH-ETH on the Ethereum Mainnet at block height 17050000 (2023-Apr-15 04:13:47 AM +UTC). This root cause of this exploit has now been fixed and a new audit has been conducted.
The exploit is generalisable to any pool running on the old Elastic code in the ks-elastic-sc-legacy repo.
I submitted this Proof of Concept to Kyber Network on 17 April 2023. Kyber Network quickly disabled minting of new positions, and asked their LPs to withdraw their liquidity. After swiftly fixing the code and performing a fresh audit with Chain Security Kyber Network re-launched the Elastic pools on 24 April 2023.
You can read more about the exploit in my blog post Saving $100M at risk in KyberSwap Elastic.
- The report for this exploit is in REPORT.md
- The test file that performs the exploit is in test/KyberswapLegacyTest.sol. The details are in function
performFullHack
at KyberswapLegacyTest.sol:133-236 - A PoC showing the that vulnerability is not present in the updated contracts is in KyberswapTest.sol.
- Install Foundry
Follow the installation instructions
Set EVMNET_FORK_URL
e.g.
export EVMNET_FORK_URL="https://mainnet.infura.io/v3/deadbeefdeadbeefdeadbeefdeadbeef"
Or you can add an entry in a .env
file e.g.
EVMNET_FORK_URL="https://mainnet.infura.io/v3/deadbeefdeadbeefdeadbeefdeadbeef"
$ npm install
$ ./run-forge