Audits
Last updated
Last updated
ChainSecurity performed multiple audits of KyberSwap Elastic following additional security enhancements on the back of a vulnerability disclosure 17 months after Elastic's initial release in December 2021. The hardened Elastic contracts were deployed in May 2023 with no user funds lost during this upgrading process. The first iteration has been renamed to Elastic Legacy.
Critical | High | Medium | Low | |
---|---|---|---|---|
Identified | 0 | 1 | 0 | 6 |
Resolved | - | 1 | - | 5 |
Risk Accepted | - | - | - | 1 |
All findings for the latest KyberSwap Elastic 16 May 2023 audit were resolved with a single low risk being accepted:
DOMAIN_SEPARATOR Is Not Recomputed if chainId Changes -> Risk is isolated to cross-chain replay attacks in the event of the underlying chain forking.
Please refer to the full KyberSwap Elastic report linked above for further details.
Elastic Legacy
You can view the timeline and post-mortem of the whitehat disclosure and bounty here.
In September 2023, an audit contest involving 207 participants from the Sherlock community was completed. The contest pot was open to any independent security experts who could identify vulnerabilities in the deployed Elastic contracts.
Issues submitted | Invalidated | High | Medium |
---|---|---|---|
116 | 113 | 0 | 2 (1 duplicate issue) |
A total of 78,200 USDC was provided for 2 medium risk severities which was validated and scheduled to be fixed in the next protocol deployment:
UUPSUpgradeable vulnerability in OpenZeppelin Contracts -> Vulnerability is restricted to a dependency package which can be mitigated through proper admin contract initialization which has been implemented for all deployed contracts. Dependency package has been fixed for all future deployments.
Router.sol is vulnerable to address collision -> Address collision requires significant amount of computing power based on current hardware capabilities making such an attack infeasible in the short term.
Please refer to the Sherlock contest details for further details and a full audit report.
KyberSwap Elastic Exploit
On 22 Nov 2023, there was an exploit that drained many liquidity pools. Our team is addressing the situation, and will keep you informed with regular updates via our public channels, such as https://twitter.com/KyberNetwork. Meanwhile, KyberSwap Aggregator is not impacted and is operating as normal.
We urge all users to be vigilant against misinformation from malicious actors, and to not click on fake websites and phishing links. Our team will not DM you first. Thank you for your patience and understanding.
ChainSecurity was engaged to conduct a code assessment of KyberSwap Classic with the final report published on 23 April 2021.
Critical | High | Medium | Low | |
---|---|---|---|---|
Identified | 0 | 0 | 4 | 6 |
Resolved | - | - | 2 | 6 |
Risk Accepted | - | - | 2 | 0 |
All audit findings were resolved with the reason for accepting the remaining medium risks as follows:
Obsolete Storage Writes During Pool Deployment -> Only affects the gas costs of deploying new pools.
Actual Amplification Reduces After Unblanced Contribution -> Attacker has no economic incentives for this attack vector and LPs will benefit from such a scenario.
Please refer to the full report linked above for additional details.
In an effort to further secure the ecosystem, KyberSwap officially launched a bug bounty program on Immunefi on 11 August 2023. The bounty program covered multiple KyberSwap products including the Aggregator, Elastic, Limit Order, and the dApp interface.
Due to the recent Elastic exploit in Nov 2023, the program has been put on hold.