defirisk.co
rubric v1.7.0

KyberSwap Elastic: Tick Manipulation + Double Liquidity Counting — Precision Arithmetic Edge Case

A highly sophisticated attacker exploited a sub-0.00000000001% precision error in KyberSwap Elastic's tick-crossing logic to double-count liquidity and drain $48M across 6 chains simultaneously — leaving step-by-step commentary in on-chain event logs.

Occurred 2023-11-22 Loss $48M Status closed

Summary #

KyberSwap Elastic suffered a Concentrated Liquidity DEX on 2023-11-22, resulting in a loss of approximately $48M.

What happened #

A highly sophisticated attacker exploited a sub-0.00000000001% precision error in KyberSwap Elastic's tick-crossing logic to double-count liquidity and drain $48M across 6 chains simultaneously — leaving step-by-step commentary in on-chain event logs.

Linked factors #

  • RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-007 — causal : Direct: bug bounty presence + max payout [via cross-hack: Factor 9: No Bug Bounty Program] || Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Unknown]
  • RD-F-008 — illustrative : Bug survived review (RD-F-008 = ignored disclosure; closest semantic match for audit-missed-bug) [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Audited — bug survived two independent reviews (ChainSecurity + Sherlock)]
  • RD-F-009 — related : Formal verification coverage — would have caught [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
  • RD-F-024 — causal : Code complexity above threshold for audit coverage [via cross-hack: Factor 53: Custom Proprietary AMM Math Without Independent Verification]
  • RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash + FixedFloat funding across chains; large flash loan originations at attack time]
  • RD-F-098 — illustrative : TVL anomaly — % drop in <1h vs 30d baseline [via realtime_signals/TVL exit early: Y — TVL fell from $71M to <$3M on KyberSwap Elastic during attack] || Low detectability — RT signals would NOT have caught (negative-evidence) [via realtime_signals/Detectability rating: Low] || Low detectability — alternate field name [via realtime_signals/Detectability rating: Low]
  • RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly: Y — pool prices pushed into empty liquidity zones; abnormal swap states]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — flash loans used to bootstrap tick manipulation]