KyberSwap Docs
  • Introduction to KyberSwap
  • Getting Started
    • Quickstart
      • FAQ
    • Supported Exchanges And Networks
    • Foundational Topics
      • Decentralized Finance
        • Tokens
        • Stablecoins
        • DEX/DeFi Aggregator
        • Slippage
        • Price Impact
        • Zap
        • Maximal Extractable Value (MEV)
      • Decentralized Technologies
        • Wallets
        • Dapps
        • RPC
        • Oracles
        • On-Chain vs Off-Chain Data
      • Other Valuable Resources
  • KyberSwap Solutions
    • KyberSwap Interface
      • User Guides
        • Connect Your Wallet
        • Switching Networks
        • Instantly Swap At Superior Rates
        • Swap At Your Preferred Rates
        • Cross-chain Swap
        • Add Your Favourite Tokens
        • Get Crypto With Fiat
        • Bridge Your Assets Across Multiple Chains
      • Profiles
        • Profile Creation
        • Profile Customization
        • Sync Profile Across Devices
      • Notifications
        • Notification Center
    • KyberSwap Aggregator
      • Concepts
        • Dynamic Trade Routing
      • User Guides
        • Instantly Swap At Superior Rates
      • Developer Guides
        • Execute A Swap With The Aggregator API
        • Upgrading To APIv1
      • Aggregator API Specification
        • EVM Swaps
        • Permit
      • Contracts
        • Aggregator Contract Addresses
      • DEX IDs
      • Subgraphs
      • FAQ
    • KyberSwap Zap as a Service
      • KyberSwap Zap as a Service (ZaaS) API
        • ZaaS HTTP API
        • ZaaS GRPC API
      • KyberSwap Zap Liquidity Widget
      • Zap Fee Model
      • Zap's Supported Chains/Dexes
      • Zap's Deployed Contract Addresses
      • Zap's DEX IDs
    • KyberSwap Widget
      • Developer Guides
        • Integrating The KyberSwap Widget
        • Customizing The KyberSwap Widget
      • iFrame Alternative
      • Widget/iFrame Fee
    • KyberSwap Liquidity Widget
      • Integrating The KyberSwap Liquidity Widget
    • Limit Order
      • Concepts
        • Off-Chain Relay, On-Chain Settlement
        • Gasless Cancellation
      • User Guides
        • Swap At Your Preferred Rates
        • Update Limit Orders
        • Cancel Limit Orders
      • Developer Guides
        • Create Limit Order
        • Gasless Cancel
        • Hard Cancel
        • Fill Limit Order
      • Contracts
        • Limit Order Contract Addresses
      • Limit Order API Specification
        • General APIs
        • Maker APIs
        • Taker APIs
      • FAQ
    • KyberSwap OnChain Price Service
    • Fee Schedule
  • Governance
    • KyberDAO
      • User Guides
        • Participating in KyberDAO
        • Staking
        • Voting
        • Stake KNC And Enjoy Gas Savings
      • Fees to KyberDAO
      • KyberDAO Operator MultiSig
      • Contracts
        • KyberDAO Contract Repo
        • KyberDAO Contract Addresses
      • FAQ - Others
    • KNC Token
      • KNC Tokenomics & Utility
      • Gas Refund Program
      • KNC Contract Addresses
  • Security
    • Audits
  • Reference
    • Legacy
      • KyberSwap Classic
        • Concepts
          • Programmable Pricing Curves
          • Dynamic Auto-Adjusting Fees
          • Virtual Balances
          • Protocol Fees
        • Contracts
          • Classic Contract Repo
          • Classic Contract Addresses
          • Classic Contract Farming Addresses
      • KyberSwap Elastic
        • Concepts
          • Concentrated Liquidity
          • Reinvestment Curve
          • Tick-Range Mechanism
          • Pool Process Flows
          • Anti-Sniping Mechanism
          • Tick-Based Farming
          • Elastic Zap
          • TWAP Oracle
          • Elastic APR Calculations
        • Contracts
          • Elastic Contract Repo
          • Elastic Contract Addresses
          • Elastic Farming Contract Addresses
          • Elastic Zap Contract Addresses
          • Elastic Core Contracts
          • Elastic Core Libraries
          • Elastic Periphery Core Contracts
          • Elastic Peripheral Library Contracts
          • Elastic Peripheral Base Contracts
        • Subgraphs
      • Whitepapers
      • Audits
      • KyberAI
        • KyberScore
        • Concepts
        • On-Chain Indicators
          • Number Of Trades
          • Trading Volume
          • Netflow To Whale Wallets
          • Netflow To CEX
          • Number Of Transfers
          • Volume Of Transfers
          • Number Of Holders
          • Top Holders
        • Technical Indicators
          • Live Charts
          • Support & Resistance Levels
          • Live Trades
          • Funding Rate On CEX
          • Liquidations On CEX
        • Liquidity Analysis
      • Elastic Legacy
        • Elastic Legacy Contract Repo
        • Elastic Legacy Contract Addresses
        • Elastic Legacy Farming Contract Addresses
        • Remove Elastic Legacy Liquidity
      • Protocol
        • Overview
        • Smart Contract Architecture
        • Trust and Security Model
      • Integrations
        • Getting Started
        • Use Cases
        • Integration Types
        • Smart Contracts
        • Ethers JS
        • RESTful API
        • Slippage Rate Protection
        • Price Feed Security
        • Contract Events
        • Platform Fees
      • Reserves
        • Getting Started
          • Overview
          • Why Develop On Kyber
          • Create New Reserve
          • Existing Reserves
          • Customising Existing Reserves
        • Development Guides
          • Fed Price Reserve
          • Automated Price Reserve
          • Reserves with Ganache
          • Orderbook Reserve
        • Operations
          • Listing Policies
          • Reserve IDs
          • Reserve Rebates
          • Sanity Rates
      • Addresses
        • Introduction
        • Mainnet
        • Kovan
        • Rinkeby
        • Ropsten
      • API/ABI
        • Introduction
        • RESTful API
          • RESTful API Overview
          • RESTful API
        • Core Smart Contracts
          • IKyberNetworkProxy
          • KyberNetworkProxy
          • IKyberNetwork
          • ISimpleKyberProxy
          • IKyberMatchingEngine
          • KyberMatchingEngine
          • IKyberHint
          • KyberHintHandler
          • IKyberHintHandler
          • IKyberFeeHandler
          • IKyberStaking
          • KyberStaking
          • IKyberDao
          • KyberDao
          • IKyberStorage
          • KyberStorage
          • IKyberHistory
          • KyberHistory
          • IKyberReserve
          • KyberReserve
          • ConversionRates
          • LiquidityConversionRates
          • EpochUtils
          • IEpochUtils
          • KyberFeeHandler
        • Contract ABIs
          • ABIs
        • Code Snippets
          • Token Quantity Conversion
        • Misc Contracts
          • KyberNetwork
          • ConversionRatesInterface
          • PermissionGroups
          • SanityRates
          • Withdrawable
          • OrderbookReserveInterface
          • OrderbookReserveLister
    • KyberSwap Operator MultiSig
    • Permitable Tokens
    • Third-Party Integrations
    • KyberSwap Analytics
    • KyberSwap App
    • GitHub
    • KyberSwap Analytics
    • KyberSwap Blog
    • Kyber Network Press Kit
  • Socials
    • X
    • Discord
    • Telegram
    • LinkedIn
    • Reddit
    • Instagram
    • Tik Tok
  • Support
    • KyberSwap Help Center
    • Complaints Handling Process
Powered by GitBook
On this page
  • KyberSwap Elastic
  • Third-party Audits
  • Audit Contest
  • KyberSwap Classic
  • Third-party Audit
  • Bug Bounty Program

Was this helpful?

  1. Reference
  2. Legacy

Audits

PreviousWhitepapersNextKyberAI

Last updated 1 year ago

Was this helpful?

KyberSwap Elastic

Third-party Audits

ChainSecurity performed multiple audits of KyberSwap Elastic following additional security enhancements on the back of a vulnerability disclosure 17 months after Elastic's initial release in December 2021. The hardened Elastic contracts were deployed in May 2023 with no user funds lost during this upgrading process. The first iteration has been renamed to .

Critical
High
Medium
Low

Identified

0

1

0

6

Resolved

-

1

-

5

Risk Accepted

-

-

-

1

All findings for the latest KyberSwap Elastic 16 May 2023 audit were resolved with a single low risk being accepted:

  • DOMAIN_SEPARATOR Is Not Recomputed if chainId Changes -> Risk is isolated to cross-chain replay attacks in the event of the underlying chain forking.

Please refer to the full KyberSwap Elastic report linked above for further details.

Elastic Legacy

You can view the timeline and post-mortem of the whitehat disclosure and bounty .

Audit Contest

In September 2023, an audit contest involving 207 participants from the Sherlock community was completed. The contest pot was open to any independent security experts who could identify vulnerabilities in the deployed Elastic contracts.

Issues submitted
Invalidated
High
Medium

116

113

0

2 (1 duplicate issue)

A total of 78,200 USDC was provided for 2 medium risk severities which was validated and scheduled to be fixed in the next protocol deployment:

KyberSwap Elastic Exploit

We urge all users to be vigilant against misinformation from malicious actors, and to not click on fake websites and phishing links. Our team will not DM you first. Thank you for your patience and understanding.


KyberSwap Classic

Third-party Audit

ChainSecurity was engaged to conduct a code assessment of KyberSwap Classic with the final report published on 23 April 2021.

Critical
High
Medium
Low

Identified

0

0

4

6

Resolved

-

-

2

6

Risk Accepted

-

-

2

0

All audit findings were resolved with the reason for accepting the remaining medium risks as follows:

  • Obsolete Storage Writes During Pool Deployment -> Only affects the gas costs of deploying new pools.

  • Actual Amplification Reduces After Unblanced Contribution -> Attacker has no economic incentives for this attack vector and LPs will benefit from such a scenario.

Please refer to the full report linked above for additional details.


Bug Bounty Program

Due to the recent Elastic exploit in Nov 2023, the program has been put on hold.

-> Vulnerability is restricted to a dependency package which can be mitigated through proper admin contract initialization which has been implemented for all deployed contracts. Dependency package has been fixed for all future deployments.

-> Address collision requires significant amount of computing power based on current hardware capabilities making such an attack infeasible in the short term.

Please refer to the for further details and a full audit report.

On 22 Nov 2023, there was an exploit that drained many liquidity pools. Our team is addressing the situation, and will keep you informed with regular updates via our public channels, such as . Meanwhile, KyberSwap Aggregator is not impacted and is operating as normal.

In an effort to further secure the ecosystem, KyberSwap a bug bounty program on Immunefi on 11 August 2023. The bounty program covered multiple KyberSwap products including the Aggregator, Elastic, Limit Order, and the dApp interface.

UUPSUpgradeable vulnerability in OpenZeppelin Contracts
Router.sol is vulnerable to address collision
Sherlock contest details
https://twitter.com/KyberNetwork
officially launched
Elastic Legacy
here
Cover

ChainSecurity - KyberSwap Elastic

Cover

ChainSecurity - KyberSwap Elastic Legacy

Cover

Sherlock - KyberSwap Elastic

Cover

ChainSecurity - KyberSwap Classic