The US Department of Justice (DOJ) has just announced details of the attack on KyberSwap - a decentralized finance (DeFi) platform of the Kyber Network project developed by Vietnamese people. Accordingly, Andean Medjedovic (22 years old), a Canadian citizen, is accused of being behind the hack that occurred at the end of 2023, causing KyberSwap users to lose 48.4 million USD.
How hackers attack
KyberSwap allows users to exchange cryptocurrencies while crowdfunding them into “liquidity pools.” This allows the system to have a pool of tokens available for people to swap at any time. Exploiting a vulnerability in KyberSwap’s smart contract, the hacker temporarily borrowed large amounts of money using “flash loans” and put them into liquidity pools.
He then manipulated prices, placing meticulously calculated trades to trick the system, causing the software to miscalculate and allowing the hacker to withdraw more assets than he had deposited.
KyberSwap Exploit Costs Users $48.4 Million
In the indictment, the DOJ describes this as a vulnerability related to a "rounding error" in the calculation steps. For example, the number of tokens swapped was limited to 1,056,056,735,638,220,800,000, but the hacker placed an order of 1,056,056,735,638,220,799,999 (just 1 unit less) - still within the limit, but the rounding rule caused some functions to work incorrectly as designed, thereby creating a vulnerability that could be exploited.
Medjedovic made 77 such transactions, taking a total of $48.4 million from users’ wallets. Medjedovic then used various tricks to cover his tracks, such as transferring the funds to different exchanges or putting them into a token mixer.
In addition to the criminal trespass charges, Medjedovic is also accused of extortion, after sending messages demanding that Kyber Network give him partial control of the company in exchange for the return of some stolen assets. The 22-year-old hacker also confidently thought he had successfully fooled investigators. However, when he encountered problems with his wiper tool, Medjedovic contacted a “software developer” for help, not knowing that he was an undercover agent.
KyberSwap Response
According to Kyber Network CEO Tran Huy Vu, although the company has not yet recovered all the lost assets, it has proactively returned them to users. The serious incident forced Kyber Network to restructure at the end of 2023, cutting 50% of its staff and temporarily closing the KyberSwap Elastic function.
The DOJ called it a sophisticated theft that exploited a vulnerability in a DeFi smart contract. Observers said the incident is a reminder for all DeFi projects to constantly check for vulnerabilities, be cautious with complex transaction orders, and have a risk response plan. As DeFi becomes more popular, Medjedovic’s attack shows that hackers can find and exploit even the smallest errors in computational logic.
"Even with the complexity of DeFi, we were able to track down the person responsible for the massive theft and arrest him," a representative of the US Department of Justice affirmed. The case is seen as evidence that, despite the many steps the attacker takes to conceal himself, authorities still have a way to track down the perpetrator and hold the criminal accountable before the law.
Source: https://thanhnien.vn/tin-tac-canada-chiem-doat-hon-48-trieu-usd-tu-du-an-kyberswap-cua-nguoi-viet-185250205084915802.htm
Comment (0)