KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
The fundamental institutions within the industry, TOP crypto exchanges, contribute to the negative image of the blockchain industry by manipulating the trade volume via Wash Trade. Wash trade is a form of market manipulation in which an investor or institution simultaneously sells and buys the same financial instruments to create misleading, artificial activity in the market. While it can be carried out in different ways, wash trade typically means using large transactions/trading orders to reduce the risk of loss.
The crypto market is relatively confined, meaning that even simple observations can spot large manipulations. An example of this can be seen in our previous research on BitForex Success Case. However, this time, we decided to apply a more scientific approach to effectively uncover fraud.
Key Findings: Results of the analysis showed that most of the investigated exchanges (except Binance and KuCoin) demonstrated that their trade volumes were not random. Some of them, including HuobiPro, HitBTC and especially Poloniex, showed outstanding autocorrelation values suggesting that their volume is not random (not organic trade volume) but is of an undefined nature. Obvious seasonal 24-hours components detected for OKex indicate a presence of distinctly artificial processes which are very likely aimed to manipulate trade volume by means of wash trade.
In the current study, we applied a time series analysis, in particular, autocorrelation and partial autocorrelation functions in order to detect cyclical and seasonal components in investigated data. If a data series has a type of trend, these functions allow us to spot it, however, they are not significant for our analysis.
Time series analysis (TSA) is usually used for modeling (forecasting) some future aspects based on historical data. Since there is no need to make any forecasts in the context of current investigations, we have used it only to spot certain components that are unnatural for fair financial markets. For the analysis we used following TSA tools:
The research is based on the assumption that clean market data is supposed to be characterized by stochastic (random) movements, for example, clean market data should not contain the seasonal or cyclic component.
Thus, the goal of this analysis is to investigate whether there are any periodical increases and decreases in the volume traded (VT) which may indicate the presence (turning on/off) of cheaters’ automated trading programs engaged in wash trade practices on the exchanges analyzed. Since the wash trade is usually carried out with transactions of larger than average volume, we focused our study solely on outliers, trades that lie outside the overall pattern of trade volume distribution or, simply put, all trades of much larger volume than average.
The analysis algorithm is as follows:
For outliers extraction, we’ve used average value and inter-percentile range (more robust analog of standard deviation) for each portion of data separately. We calculated the average value of each sample as a median value and inter-percentile range (IPR) as the difference between 90th and 10th percentile. Trades with volume greater than the median by more than 3 IPR were considered as outliers.
Time Series Analysis
The scope of analysis – BTC/USDT pair in Q2 2018. We analyzed the trade data for 7 exchanges; namely, Binance, OKex, HuobiPro, HitBTC, Bittrex, Poloniex and KuCoin.
After having tried different timeframes for VT visualization, we determined 4-hour aggregation as the most appropriate for distinguishing periods with similar characteristics for all graphs.
Then, we built ACF and PACF graph for each period and showed those on which we detected any significant patterns indicating that the process was not of a random nature. Example of such patterns is seasonal and cyclic components, as well as values or spikes standing out significantly from the confidence interval (blue area). In statistics, a confidence interval is a range of values that contain a parameter of interest; in our case autocorrelation values which stand out from it are statistically significant for the analysis
Based on Binance VT curve visualization (graph 1), we distinguished the following periods as periods with different characteristics:
Therefore, there is no suspicious activity detected on Binance that can be revealed by our research.
Based on Bittrex VT curve visualization (graph 4) we distinguished the following periods:
Based on HitBTC VT curve visualization (graph 7) we distinguished the following periods:
While a minor cyclic component spotted in HitBTC should be considered unnatural, we can assume that it might be normal volume performance depending on price fluctuations. In addition, the ACF values that significantly outstand from the confidence interval detected for HitBTC suggests that they are definitely not random but have an undefined nature.
Based on HuobiPro VT curve visualization (graph 10) we distinguished the following periods:
On visualized KuCoin’s VT curve (graph 13), there are no obvious periods with similar characteristics to be distinguished. Therefore we analyzed the whole data series at once.KuCoin’s correlogram does not demonstrate any cyclic/seasonal components or trends. This means we did not detect any non-random and suspicious patterns.
Based on OKex‘s VT curve visualization (graph 15) we distinguished the following periods:
A period from April 29 till May 4 was excluded from the analysis due to a gap in data (see assumptions).Okex’s ACF for the 1st period shows a minor cyclic pattern, pointing to changes in trading volume on the exchange which may not be random. Okex’s ACF for the 3rd period displays obvious seasonal component with 24-hours periodicity on 1-hour data aggregation. These abnormalities mean that the trade volume (outlier transactions only) on OKex within this period of time is artificial. Moreover, it looks like this activity stems from an automated volume pamp. Slowly decaying ACF for the 5th period, along with apparent periodical peaks with a 24-hour cycle, indicates a presence of both trend and seasonal components. This is the same situation as the previous graphs, but the cyclic activity is diluted by the trend. To sum up, considering these graphs on the OKex trade volume from the outliers, we can make an inference that the cyclic wash trade activity was conducted on the OKex exchange in BTCUSDT pair. Most likely, the goal was to create simulated activity on the market to report the higher volume and attract more traders.
In turn, we analyzed the whole Q2 2018 data series for Poloniex, since there were no obvious periods with similar characteristic VT curves. Poloniex’s correlogram shows slowly decaying ACF with a lot of non-periodical but significantly outstanding (from confidence interval) values on 4-hours data aggregation. It signifies that trade volume from outliers is definitely not random on the exchange. Thus, we think that trade volume on Poloniex should be analyzed more precisely to define the nature of such uncommon relations within data, and hopefully to find more evidence of wash trade.
Based on the results of our analysis, we can claim that two exchanges do not have any suspicious patterns. We found nothing on KuCoin’s correlogram, and Binance demonstrated only the presence of a trend. But other exchanges showed the existence of non-random processes.
Bittrex has two minor cyclic patterns with different lags in two periods (1st and 2nd). HitBTC shows one minor cyclic pattern (1st period) and a period with significant spikes (3rd period). HuobiPro’s ACFs display a period with significant spikes (3rd period) and a combination of trend and cyclic components (1st period). Poloniex’s whole Q2 2018 ACF demonstrates that almost all values are significantly outstanding.
Finally, OKex is again the leader in raising red flags. It has three suspicious patterns: a minor cyclic component (1st period), a combination of trend and seasonal 24-hours component (5th period), and obvious seasonal 24-hours components (4th period).
While minor cyclic components of different periodicity spotted for Bittrex, HuobiPro, HitBTC, and OKex should be considered unnatural, we can assume that they might be normal volume performance depending on price fluctuations. However, ACF values detected for HitBTC, HuobiPro, and Poloniex, significantly outstand from the confidence interval and suggest that they are definitely not random but have an undefined nature that requires a more thorough analysis.
Moreover, obvious seasonal 24-hours components detected for OKex indicate a presence of artificial processes. are very likely aimed at manipulating trade volume by means of wash trade. It’s clear that after earlier accusations in volume manipulations by Sylvain Ribes, starting in April OKex stopped doing it so obviously, with the use of the advanced tools, our sophisticated analysis revealed that the exchange has yet to put an end to malpractice, and has instead just learned how to disguise profoundly.
Since four out of seven observed (HuobiPro, OKex, Bittrex, and KuCoin) exchanges do not provide historical trade data via their API (see PS: Data Gathering Problems from previous research) we took the data from the sole source (CoinAPI) in order to be comparable. Datasets received from CoinAPI have a number of gaps of different length. In total we are missing significant data for two exchanges:
We consider Binance’s missing data of 1 day, 11 hours, and 25 minutes (~1.6%)insignificant as well other minor data gaps for Poloniex – 2 hours and 30 minutes (~0.114%) and Kucoin – 45 minutes (~0.034%).
Don’t hesitate to contact us via email@example.com, if you have suggestions on how to make these reviews more interesting and effective.