Multi-chain DEX aggregator Kyber Network urged liquidity providers using its Elastic automated market maker (AMM) to withdraw their funds as soon as possible.
In a Monday announcement, the Kyber team disclosed a potential vulnerability on Elastic and advised users to unstake funds on liquidity pools as a precaution.
KyberSwap Classic remains unaffected.
We will provide further details on the situation shortly and announce when KyberSwap Elastic is re-enabled. We apologise for the inconvenience caused.
— Kyber Network (@KyberNetwork) April 17, 2023
Elastic is a tick-based AMM with concentrated liquidity and customizable fee tiers that gives liquidity providers advanced tools to optimize their yield strategies. According to data from DeFiLlama, the total value locked (TVL) on Elastic dropped from $108.5 million to $9.3 million after the team identified the exploit, at the time of writing.
The drop in TVL likely came from liquidity providers heeding Kyber’s advice and withdrawing their funds from Elastic. The Kyber team said that no funds were lost due to the vulnerability.
“KyberSwap Classic remains unaffected. We will provide further details on the situation shortly and announce when KyberSwap Elastic is re-enabled,” said the team.
Shortly after, Kyber disabled farming rewards on Elastic, announcing that an upgraded Elastic smart contract was being deployed.
According to Kyber CEO Loi Luu, the “serious vulnerability” on Kyber Elastic was discovered by a whitehat hacker and the team worked to immediately mitigate the risk after the threat was disclosed.
“though we are confident that the exploit is no longer possible, we still advise all LPs to remove their fund from the protocol until it is thoroughly investigated and everything is completely fixed with more security audits,” tweeted Luu.
In September 2022, Kyber disclosed that $265,000 worth of user funds were lost in an exploit through malicious code in the platform’s Google Tag Manager (GTM). The code allowed hackers to insert a false approval and transfer user funds to their wallets.
At the time, the Kyber team said it had neutralized the front-end exploit, which did not impact its smart contracts, within two hours of investigating it, and user funds would be reimbursed.