Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you the most significant developments from the past week.

The attacker who stole $46 million from the KyberSwap protocol has used a complex strategy described by a DeFi expert as an “infinite money glitch.” With the exploit, the attackers tricked the platform’s smart contract into believing it had more liquidity available than it did.

Australia’s tax regulator has failed to clarify its rules on DeFi despite Cointelegraph reaching out for answers. The regulator could not answer whether capital gains taxes apply to liquid staking and transferring assets to layer-2 bridges.

The DeFi ecosystem flourished in the past week thanks to ongoing bullish market momentum, with most of the tokens trading in green on the weekly charts.

KyberSwap attacker used “infinite money glitch” to drain funds — DeFi expert

DeFi expert Doug Colkitt laid out a thread on X (formerly Twitter), describing the smart contract exploit engineered by the KyberSwap attacker who drained $46 million from the protocol. 

Colkitt described the exploit as an “infinite money glitch,” where the hackers tricked the smart contract into believing that KyberSwap had more liquidity than it really had. Colkitt also highlighted that it’s the “most complex” smart contract he’s ever seen.

Continue reading

Australia’s tax agency won’t clarify its confusing, “aggressive” crypto rules

On Nov. 9, the Australian Taxation Office (ATO) released new guidance on DeFi. However, the regulator failed to clarify whether capital gains taxes apply to various DeFi features, such as liquid staking and sending funds to layer-2 bridges. 

Cointelegraph reached out to the ATO to clarify the new rules. However, a spokesperson from ATO said that the tax consequences of a transaction “will depend on the steps taken on the platform or contract, and the relevant surrounding facts and circumstances of the taxpayer who owns the cryptocurrency assets.”

With the non-answer, investors could be unable to comply with the possible consequences of the unclear guidance.

Continue reading

DYdX founder blames v3 central components for “targeted attack,” involves FBI

Antonio Juliano, the founder of DeFi protocol dYdX, went on X to share the findings of the investigation into the $9 million insurance funds within the platform. Juliano said the dYdX blockchain was not compromised and noted that the insurance claims happened on the v3 chain. The fund was being used to fill gaps within the Yearn.finance liquidation processes. 

The dYdX founder also expressed that instead of negotiating with the exploiters, the protocol will offer bounties to those most helpful in the investigation. “We will not pay bounties to, or negotiate with the attacker,” Juliano wrote.

Continue reading

DeFi market overview

Data from Cointelegraph Markets Pro and TradingView shows that DeFi’s top 100 tokens by market capitalization had a bullish week, with most tokens trading in green on the weekly charts. The total value locked into DeFi protocols remained above $47 billion.

Thanks for reading our summary of this week’s most impactful DeFi developments. Join us next Friday for more stories, insights and education regarding this dynamically advancing space.

The attacker who drained $46 million from KyberSwap relied on a “complex and carefully engineered smart contract exploit” to carry out the attack, according to a social media thread by Ambient exchange founder Doug Colkitt. 

Colkitt labeled the exploit an “infinite money glitch.” According to him, the attacker took advantage of a unique implementation of KyberSwap’s concentrated liquidity feature to “trick” the contract into believing it had more liquidity than it did in reality.

1/ Finished a preliminary deep dive into the Kyber exploit, and think I now have a pretty good understanding of what happened.

This is easily the most complex and carefully engineered smart contract exploit I’ve ever seen…

— Doug Colkitt (@0xdoug) November 23, 2023

Most decentralized exchanges (DEXs) provide a “concentrated liquidity” feature, which allows liquidity providers to set a minimum and maximum price at which they would offer to buy or sell crypto. According to Colkitt, this feature was used by the KyberSwap attacker to drain funds. However, the exploit “is specific to Kyber’s implementation of concentrated liquidity and probably will not work on other DEXs,” he said.

The KyberSwap attack consisted of several exploits against individual pools, with each attack being nearly identical to every other, Colkitt said. To illustrate how it worked, Colkitt considered the exploit of the ETH/wstETH pool on Ethereum. This pool contained Ether (ETH) and Lido Wrapped Staked Ether (wstETH).

The attacker began by borrowing 10,000 wstETH (worth $23 million at the time) from flash loan platform Aave, as shown in blockchain data. According to Colkitt, the attacker then dumped $6.7 million worth of these tokens into the pool, causing its price to collapse to 0.0000152 ETH per 1 wstETH. At this price point, there were no liquidity providers willing to buy or sell, so liquidity should have been zero.

The attacker then deposited 3.4 wstETH and offered to buy or sell between the prices of 0.0000146 and 0.0000153, withdrawing 0.56 wstETH immediately after the deposit. Colkitt speculated that the attacker may have withdrawn the 0.56 wstETH to “make the subsequent numerical calculations line up perfectly.”

After making this deposit and withdrawal, the attacker performed a second and third swap. The second swap pushed the price to 0.0157 ETH, which should have deactivated the attacker’s liquidity. The third swap pushed the price back up to 0.00001637. This, too, was outside of the price range set by the attacker’s own liquidity threshold, as it was now above their maximum price.

Theoretically, the last two swaps should have accomplished nothing, as the attacker was buying and selling into their own liquidity, since every other user had a minimum price set far below these values. “In the absence of a numerical bug, someone doing this would just be trading back and forth with their own liquidity,” Colkitt stated, adding, “and all the flows would net out to zero (minus fees).”

However, due to a peculiarity of the arithmetic used to calculate the upper and lower bound of price ranges, the protocol failed to remove liquidity in one of the first two swaps but also added it back during the final swap. As a result, the pool ended up “double counting the liquidity from the original LP position,” which allowed the attacker to receive 3,911 wstETH for a minimal amount of ETH. Although the attacker had to dump 1,052 wstETH in the first swap to carry out the attack, it still enabled them to profit by 2,859 wstETH ($6.7 million at today’s price) after paying back their flash loan.

The attacker apparently repeated this exploit against other KyberSwap pools on multiple networks, eventually getting away with a total of $46 million in crypto loot.

Related: HTX exchange loses $13.6M in hot wallet hack: Report

According to Colkitt, KyberSwap contained a failsafe mechanism within the computeSwapStep function that was intended to prevent this exploit from being possible. However, the attacker managed to keep the numerical values used in the swap just outside of the range that would cause the failsafe to trigger, as Colkitt stated:

“[T]he ‘reach quantity’ was the upper bound for reaching the tick boundary was calculated as …22080000, whereas the exploiter set a swap quantity of …220799999[.] That shows just how carefully engineered this exploit was. The check failed by <0.00000000001%.”

Colkitt called the attack “easily the most complex and carefully engineered smart contract exploit I’ve ever seen.”

As Cointelegraph reported, KyberSwap was exploited for $46 million on Nov. 22. The team discovered a vulnerability on Apr. 17, but no funds were lost in that incident. The exchange’s user interface was also hacked in September last year, although all users were compensated in that incident. The Nov. 22 attacker has informed the team they are willing to negotiate to return some of the funds.