Audits
Last updated
Was this helpful?
Last updated
Was this helpful?
ChainSecurity performed multiple audits of KyberSwap Elastic following additional security enhancements on the back of a vulnerability disclosure 17 months after Elastic's initial release in December 2021. The hardened Elastic contracts were deployed in May 2023 with no user funds lost during this upgrading process. The first iteration has been renamed to .
Identified
0
1
0
6
Resolved
-
1
-
5
Risk Accepted
-
-
-
1
All findings for the latest KyberSwap Elastic 16 May 2023 audit were resolved with a single low risk being accepted:
DOMAIN_SEPARATOR Is Not Recomputed if chainId Changes -> Risk is isolated to cross-chain replay attacks in the event of the underlying chain forking.
Please refer to the full KyberSwap Elastic report linked above for further details.
In September 2023, an audit contest involving 207 participants from the Sherlock community was completed. The contest pot was open to any independent security experts who could identify vulnerabilities in the deployed Elastic contracts.
116
113
0
2 (1 duplicate issue)
A total of 78,200 USDC was provided for 2 medium risk severities which was validated and scheduled to be fixed in the next protocol deployment:
KyberSwap Elastic Exploit
We urge all users to be vigilant against misinformation from malicious actors, and to not click on fake websites and phishing links. Our team will not DM you first. Thank you for your patience and understanding.
ChainSecurity was engaged to conduct a code assessment of KyberSwap Classic with the final report published on 23 April 2021.
Identified
0
0
4
6
Resolved
-
-
2
6
Risk Accepted
-
-
2
0
All audit findings were resolved with the reason for accepting the remaining medium risks as follows:
Obsolete Storage Writes During Pool Deployment -> Only affects the gas costs of deploying new pools.
Actual Amplification Reduces After Unblanced Contribution -> Attacker has no economic incentives for this attack vector and LPs will benefit from such a scenario.
Please refer to the full report linked above for additional details.
Due to the recent Elastic exploit in Nov 2023, the program has been put on hold.
-> Vulnerability is restricted to a dependency package which can be mitigated through proper admin contract initialization which has been implemented for all deployed contracts. Dependency package has been fixed for all future deployments.
-> Address collision requires significant amount of computing power based on current hardware capabilities making such an attack infeasible in the short term.
Please refer to the for further details and a full audit report.
On 22 Nov 2023, there was an exploit that drained many liquidity pools. Our team is addressing the situation, and will keep you informed with regular updates via our public channels, such as . Meanwhile, KyberSwap Aggregator is not impacted and is operating as normal.
In an effort to further secure the ecosystem, KyberSwap a bug bounty program on Immunefi on 11 August 2023. The bounty program covered multiple KyberSwap products including the Aggregator, Elastic, Limit Order, and the dApp interface.
