.@KyberSwap was exploited due to tick manipulation and double liquidity counting.
In summary, the attackers borrowed a flash loan and drained the pools with low liquidity. By executing swaps and altering positions, they manipulated the current prices and ticks of the victimized
1/ @samczsun explained that the attacker exploited the vulnerability in mev-boost-relay to drain MEV bots. After digging into the attack, we have two more findings. First, the attacker used a honeypot tx to lure MEV bots. Second, the honeypot tx has a self-protected mechanism.
1/ Exploits on chain are growing at an alarming rate. Here's how #BlockSec responds when an attack occurs and the secret weapons we deploy to analyze incidents quickly and accurately.
1/ Alert | BlockSec detected that exploiters are replaying the message (calldata) of the PoS chain on @EthereumPow. The root cause of the exploitation is that the bridge doesn't correctly verify the actual chainid (which is maintained by itself) of the cross-chain message.
1/ The key to the success of the Tornado Cash DAO attack is that 1) blindly vote -- vote without knowing the consequence; 2) a proposal contract can be updated through a well-designed trick -- create and create2.
Click to see the detailed attack steps:
docs.google.com/presentation/d…
Please note that this reentrancy issue is associated with the use of 'use_eth', which could potentially place the WETH-related pools in jeopardy!
@CurveFinance , please DM us if you need any help.