Decentralized exchange KyberSwap has extended a 10% reward offer to the hackers responsible for the $46 million heist that occurred on November 22, leaving behind a trace of their discussions. The exchange aims to return 90% of the stolen assets by November 25 at 6 am UTC.
On November 23, KyberSwap alerted its users about the compromise of its liquidity solution, KyberSwap Elastic, and advised them to withdraw their funds. The heist, which transpired on November 22, resulted in hackers nabbing approximately $20 million in Wrapped Ether (wETH), $7 million in Lido Collateral Ether (wstETH), and $4 million in Arbitrum (ARB) tokens. The hackers then moved the loot across several chains, including Arbitrum, Optimism, Ethereum, Polygon, and Base. Following the theft, the hacker left an on-chain message addressed to KyberSwap developers, staff, decentralized autonomous organization members, and liquidity providers, signaling upcoming negotiations after some rest.
After a period of silence from both sides, KyberSwap responded to the hackers' demand to return 90% of the purloined assets. The team acknowledged the hackers' capabilities and presented a proposition: "To securely return all user funds, we offer a bounty equal to 10% of the funds taken from the users. Let’s expedite this process to ensure both you and affected users can move forward.”
In the event of non-repayment or a lack of response from the hackers by 6 a.m. UTC on November 25, KyberSwap issued a stern warning that "you will go on the run." The team expressed openness to further discussions with the hackers through email. An expert in decentralized finance (DeFi), Doug Colkitt, dissected the KyberSwap hack and unveiled that the attackers exploited an "infinite funds glitch" to siphon the funds.
Colkitt, the founder of Ambient Exchange, explained that the attackers utilized "sophisticated and meticulously designed smart contract vulnerabilities" to execute the attacks. Subsequently, the exploit was leveraged against other Kyberswap pools across multiple networks, ultimately resulting in the theft of $46 million in various cryptocurrencies.
