KyberSwap — concentrated-liquidity exploit

What happened

On 23 November 2023 an attacker drained approximately $54 million from KyberSwap Elastic’s liquidity pools across six blockchain networks: Ethereum, Arbitrum, Optimism, Polygon, Base, and Avalanche. The attack was executed over the course of a few hours and targeted all deployed instances of the KyberSwap Elastic smart contracts simultaneously.

KyberSwap Elastic is a concentrated-liquidity automated market maker (AMM) — a more capital-efficient variant of standard AMM design that allows liquidity providers to concentrate their funds in specific price ranges rather than distributing them uniformly. This efficiency comes at the cost of increased mathematical complexity in the liquidity accounting logic, and it was that complexity that the attacker exploited.

After extracting the funds, the attacker sent on-chain messages to KyberSwap containing a list of demands that included, among other provisions, “complete executive control over KyberSwap [the company], the Kyber Network protocol and DAO, and all Kyber Finance assets.” The attacker requested that the Kyber team go on holiday and hand over decision-making. KyberSwap declined the demands; negotiations over partial returns for smaller affected pools continued for some time but the bulk of the $54 million was not recovered. KyberSwap subsequently shut down its Elastic product, announced significant staff layoffs, and restructured the broader Kyber Network organisation around its Classic AMM and aggregator products.

How it worked

The exploit targeted a specific flaw in how KyberSwap Elastic’s contracts handled the rounding arithmetic at tick-boundary transitions in the concentrated-liquidity model.

In a concentrated-liquidity AMM, liquidity is distributed across “ticks” — discrete price levels — and each tick boundary represents a point at which the pool’s liquidity configuration changes. The contracts must account precisely for how much liquidity is available at each price level and adjust balances correctly when a trade crosses a tick boundary. The rounding behaviour at these boundaries — specifically, how the contracts floor or ceil fractional token amounts during the transition — introduces small per-trade discrepancies.

The attacker’s insight was that by engineering a specific sequence of flash-loan-funded swaps across tick boundaries, the rounding discrepancy could be made to accumulate in the attacker’s favour within a single transaction. The flash loan provided the capital to execute the manipulation; the attacker borrowed a large amount of tokens, executed the carefully-sized sequence of swaps that exploited the rounding flaw, extracted more liquidity from the pool than they were entitled to, and repaid the flash loan, netting the difference. The attack was executed separately against each chain’s deployment of KyberSwap Elastic contracts.

The technical complexity of the exploit is notable. The attacker had clearly analysed the KyberSwap Elastic contract logic in depth, identified the specific rounding behaviour, and constructed a multi-step sequence of transactions that triggered it in a controlled way. This level of preparation distinguishes the KyberSwap exploit from simpler oracle-manipulation or reentrancy attacks — it required deep familiarity with the concentrated-liquidity mechanics and the ability to construct the exact transaction sequence that would produce the desired rounding error.

Smart contract audits of the KyberSwap Elastic codebase had been conducted before deployment. The tick-boundary rounding flaw was not identified by those audits, illustrating the difficulty of auditing complex mathematical logic in smart contracts and the limitations of even thorough pre-deployment review against adversarial analysis with full access to the deployed code.

Timeline

• Prior to November 2023 — KyberSwap Elastic contracts deployed across six networks; smart contract audits conducted but tick-boundary rounding vulnerability not identified.
• 23 November 2023 — Attacker deploys exploit across all six KyberSwap Elastic deployments simultaneously; approximately $54 million drained within hours. KyberSwap advises all liquidity providers to withdraw.
• 23 November 2023 (hours after exploit) — Attacker sends on-chain message to KyberSwap team containing governance-control demands; KyberSwap declines.
• November–December 2023 — Negotiations between attacker and KyberSwap continue; partial fund returns for smaller affected pools discussed but not confirmed at full scale.
• December 2023 – early 2024 — KyberSwap announces significant staff reductions and shutdown of the Elastic concentrated-liquidity product; restructures around KyberSwap Classic and aggregator.
• 2024 — KyberSwap files legal action in multiple jurisdictions seeking to identify the attacker and recover funds; outcome not publicly resolved.

What defenders should learn

The KyberSwap exploit illuminates the inherent tension in concentrated-liquidity AMM design: the same mathematical precision that makes the model more capital-efficient than uniform-distribution AMMs also creates more attack surface in the rounding and boundary logic. Standard AMMs with simple x*y=k invariants have a small number of invariant-preservation conditions that auditors can check exhaustively. Concentrated-liquidity AMMs with tick-boundary accounting and multi-range liquidity have orders of magnitude more logical edge cases. The security review burden scales with the complexity.

This does not mean concentrated-liquidity AMMs cannot be secured — Uniswap V3, which introduced the model, has not suffered a comparable exploit. But it means that the audit and formal verification requirements are substantially higher than for simpler designs, and that protocol teams building on top of the design or adapting it (as KyberSwap did with Elastic) should not assume that audit coverage of the base design transfers to their implementation.

Formal verification — the use of mathematical proof to verify that contract logic satisfies specified properties under all possible inputs — is the security practice most suited to catching the category of flaw that KyberSwap Elastic contained. Formal verification of concentrated-liquidity rounding behaviour would have required explicitly specifying the invariants that must hold at tick boundaries and mechanically verifying the contract code against them. It is expensive and time-consuming; it is also the only method that provides a meaningful security guarantee against adversarially-constructed inputs in complex mathematical contracts.

The attacker’s governance demands are also worth noting as a tactic. Posting on-chain demands for protocol control was a negotiating strategy, not a serious legal claim. But it illustrates that in DeFi, the attacker’s position post-exploit includes significant leverage in the absence of regulatory enforcement capacity: the protocol must negotiate with the attacker to recover any funds, and the attacker’s opening demand can be set at whatever level they choose. Protocol teams should think in advance about post-exploit negotiation strategy and the conditions under which engaging with an extortionate attacker makes sense versus pursuing on-chain tracing and legal action as the primary recovery path.