KyberSwap Elastic is a concentrated-liquidity AMM derived from Uniswap V3 with a reinvestment-curve fee mechanism. The exploit lived in computeSwapStep() and the tick-crossing logic of swap() in Pool.sol. The attacker chose an input amount exactly one wei less than amountSwapToCrossTick (244080034447359999999 vs the boundary 244080034447360000000), so the function decided the swap did not exhaust in-range liquidity and therefore did not call updateLiquidityAndCrossTick(); the tick was not crossed and the corresponding range liquidity was not removed. However, the next-price computation in calcFinalPrice folded the swap fee into the liquidity used in the sqrtP update, producing a nextSqrtP that was very slightly larger than the target tick's sqrtP, even though the code believed the tick had not been crossed. On the next swap, the pool now sat past the tick with the original liquidity still active AND with the next tick's liquidity additionally crossed in — the same liquidity was effectively counted twice across the boundary, letting the attacker round-trip swaps that drained the pool of ~$48M in a single tx across multiple chains (Ethereum, Arbitrum, Optimism, Polygon, Base). The bug is a precision/rounding tear at the sqrtP=tickSqrtP edge created by including fee amounts in the liquidity term of the price-update formula.
Classification: Protocol Logic. Technique: Flashloan Swap Logic Exploit. Target type: DeFi Protocol. Affected chains: Ethereum, Base, Polygon, Optimism, Arbitrum. Implementation language: Solidity.
- chain
- multichain
- protocol
- KyberSwap Elastic
- bug_class
- flashloan
- date_occurred
- 2023-11-22
- loss_usd
- $48,000,000
- classification
- Protocol Logic
- technique
- Flashloan Swap Logic Exploit
- target_type
- DeFi Protocol
- language
- Solidity
- source_id
- dl:2615