KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
Before we begin, we’d like to state that this is a short version of the report. A full report is available on the CER’s blog here.
The crypto world is amazing and unpredictable. Along with skyrocketing coin prices, we can often observe exchanges suddenly break from the middle of the crowd to the top of the ranks by trade volume. During the last couple of months, the crypto community has witnessed a handful of these success stories. It was difficult not to note that the majority of them happened due to exchanges adopting the innovative approach Transaction Fee Mining, or “trans-fee mining”. However, trans-fee mining is criticized by many crypto community members since its inception. Particularly, the CEO of Binance, Zhao Changpeng condemns the practice:
You use BTC or ETH to pay for the transaction fee to the exchange, where it pays you back 100% via the exchange tokens. Isn’t it the same with using BTC or ETH to buy the exchange tokens? What’s the difference between this and an ICO? – Zhao Changpeng.
At CER we agree with that, since such exchanges are distributing their tokens in exchange for trade fees paid in other cryptocurrencies, which is a method of fundraising. But by doing this, they simply bypass the resource-consuming ICO process. Along with that, application of the “trans-mining fee” approach significantly increases daily trading volume on these exchanges, thereby, moving them up in the global ranking, increasing their brand awareness and bringing them new users.
With that in mind, we decided to produce a study of this method and investigate some of its adopters. While analyzing each exchange’s trans-fee mining features, the model seemed akin to some kind of network marketing or Ponzi scheme.
We investigated 5 exchanges that implemented the Trans-fee mining model out of the top 12 exchanges (by reported volume on CMC) on Aug 8 (Fig. 1). These were BitForex, FCoin, CoineEx, CoinBene and Coinsuper. Looking at their daily volumes, we can observe a similar pattern of large trade volume ramping up on the very first day of implementing the trans-fee mining model.
Eventually, the analysis of chart volume patterns, user traffic, social media activity, security, and KYC/AML policies made the poor reliability even more evident on these exchanges.
Nowadays, exchange tokens are not a novelty. Over a year ago, Binance came out with BNB, its own ERC-20 token, which can be used to vote for new listings and receive discounts when paying trading fees. Consequently, many other exchanges embraced this idea, which proved to benefit all stakeholders.
As new crypto exchanges crowd the playfield, most are trying to set themselves apart from their peers. And here we have FCoin, with its invention of the “trans-fee mining” model, promising 100% transaction fees reimbursement for traders in the form of FCoin’s FT token. Some other minor exchanges quickly assessed the profit potential and adopted the model with some adjustments.
Basically, trans-fee mining is a reward model where transaction fees paid by traders are compensated by the exchange in its own tokens. Theoretically, it is aimed to boost trading activity by incentivizing traders to join the exchange, providing the opportunity to trade crypto at literally no cost. Is this really what’s going on though?
Currently, the leader of this parade is the exchange called BitForex, which had already been investigated for volume manipulation by the CER Analytical Team together, in coordination with the Hacken Marketing Team about a month ago. On Aug 8, it was in second place with about $4.8bln of 24h volume, but at the very beginning of the month, its trade volume skyrocketed to over $14bln. We assume it was an all-time ultimate record for CMC ranking. This sharp spike occurred just after BitForex launched their trans-fee mining model with a whopping 120% of transaction fees reimbursement. This resulted in a +2900% jump in BTC/USDT Trade Volume from 35K BTC to over 1 million BTC.
ETH/USDT performed similarly; it soared over 2800% from 356K BTC to over 10 million ETH.
FCoin was launched in May 2018 backed by Jian Zhang, former CTO of Huobi. On Aug 8, the exchange was in third place with over $2bln of 24h Trade Volume. As a pioneer of trans-fee mining, FCoin launched their token and reimbursement system at the beginning of June.
Though, as time went on, Fcoin’s trade volume started to fade, and the exchange slid down the ranks on CMC, with about $30mln of 24h Trade Volume. On Aug 8, noticing the trend of rivals offering more than 100% trade fees reimbursement, FCoin decided to implement their own 10% bonus. That move resulted in nearly 7,000% volume jump to over $2bln (see Fig. 1), primarily due to the rise in FT/USDT volume (Fig. 5).
The Hong Kong-based CoinEx exchange was established in late 2017 by Haipo Yang, founder of ViaBTC mining pool. It was the first crypto exchange to implement Bitcoin Cash (BCH) as quote currency. On Aug 8, CoinEx took 8th place with over $582mln of 24h Trade Volume. The charts below clearly display the start date of the trans-fee mining on CoinEx, as well as skyrocketing trade volume by more than 56,000% in BTC/USDT, and more than 8,900% in BCH/USDT pairs.
The Singapore based CoinBene exchange was founded in late 2017, and in June 2018, it became one of the earliest adopters of trans-fee mining model promising a 130% trade fee reimbursement. On Aug 8, CoinBene placed 9th, with over $434mln of 24h Trade Volume.
Hong Kong-based Coinsuper took 11th place with over $300mln of 24h trade volume on Aug 8. The exchange experienced a similar trade volume jump upon the initial implementation of their own trans-fee mining model, but unlike its peers, that was only a one-day spike.
The charts shown above suggest the trans-fee mining model really does incentivize trading activity. But, is it natural active user growth or some kind of volume manipulation?
As we stated earlier, the utilization of the trans-mining fee approach is akin to starting an ICO (initial coin offering) without the usual overhead costs of marketing, business development, and legal procedures. These exchanges are simply distributing their tokens in exchange for trade fees paid in other cryptocurrencies.
As we noted in this study, 4 out of 5 of the exchanges we examined claimed to offer more than 100% trading fee reimbursements: BitForex – 120%, FCoin – 110%, CoinBene – 130%, and Coinsuper – 125%. Besides that, BitForex and Coinsuper promise to use 80% of transaction fees incurred to buy-back the exchange tokens, while others pledge to redistribute their trade fee revenue in the form of dividends: FCoin and CoinEx – 80%, and CoinBene – 40% (while the previous offer was 100%).
All those lavish promises, like “give me 100 bucks and I’ll return 120 tomorrow, plus 80% dividends” should make anyone suspicious, as the offers seem as unsustainable as any multi-level marketing or Ponzi scheme on the market. Of course, there are many credulous people led by FOMO (fear of missing out). These people often get caught by scammers, but hopefully, the modern crypto community is not so easy to deceive.
All of the observed exchanges claim to have KYC, but only 2 out of 5 claims to conduct AML procedures (BitForex and Coinsuper). We don’t trust so easily, so we checked out the exchanges’ customer support.
BitForex’s answers threw us into confusion, as its customer service asserted that they don’t need AML policy and don’t have KYC; nevertheless, the exchanges’ user agreement contains a KYC/AML policies section.
Indeed, why would an exchange that’s artificially pumping up its own trade volume (or letting somebody do) that need to know its customer or moreover conduct anti-money laundering procedures?
In this chapter, we are comparing the marketing performance of two well-known crypto exchanges, Bitstamp and Kraken, with the exchanges we examined above in this report. We are observing how traffic volume and media activity correlate with trade volumes. All of the following data has been taken from a SimilarWeb Pro account.
We see a pretty similar pattern with unique visitors. Bitstamp and Kraken show at least 4 million unique site visitors per month, while Coinex shows staggering growth in July jumping from 1 million to more than 5 million.
Coinbene, Coinsuper, and Bitforex, again, have relatively weak performance among the sample group, showing less than 1 million Unique Visitors per month.
Trade volume for the sample group was taken from CoinMarketCap and represents the “Reported 30 Day Volume” in the figure below.
Despite being less active on social media and having less traffic and unique visitors, Bitforex, Fcoin, Coinex, Coinbene, and Coinsuper have much larger trade volumes than Bitstamp and Kraken.
If we compare the exchanges using the Trade Volume per Unique Visitor factor, we see a radical difference between Bitstamp, Kraken and the rest of the sample.
Bitstamp and Kraken generate about $600 of Trade Volume per Unique Visitor, whereas Bitforex and Coinsuper are demonstrating more than $80K Trade Volume per Unique Visitor! This is incredibly suspicious.
Upon the start of our analysis, we stated that Bitstamp and Kraken are well-trusted crypto exchanges with upstanding reputations. Both exemplify strong web traffic and Unique Visitor numbers for their sites. Yet, despite all that, the sample group we are examining today show much greater Trade Volumes. If we compare trade volume per unique visitor, we can see the Bitforex trade volume is 131 times LARGER than that of Bitstamp or Kraken.
While conducting this research we made some very interesting observations. It’s obvious that the implementation of “trans-fee mining” likely leads to a huge ramp-up of trade volume, but charts suggest that such a pump is very unlikely to be the result of a natural influx of traders. Using trading bots to inflate volume, this could be someone eager to collect reimbursed tokens via “trade mining” and dividends distribution.
It’s also worth noting that historical data is essential for conducting a thorough analysis of volume manipulations, but there is one common issue among all of the observed exchanges –– the impossibility of obtaining trade history and other order book data over API. Moreover, in some cases, API is simply not working at all!
We think that, after reviewing this case, the community should ask the following questions:
– Who benefits from this practice the most?
– Does the trans-fee mining model incentivize natural trading activity or volume manipulations?
– The most important question: What kind of effects do such methods have on the evolution of the cryptocurrency market at large?
As we stated earlier, the crypto world is very dynamic; while conducting our research and writing this article, the state of some things changed. For instance, FCoin slid down to 21st place, with about $163mln 24h Trade Volume.
The Butterfly Effect or how to counter fake volumes and make the crypto industry mature
Don’t believe the hype. One of the top 15 crypto exchanges fakes its volume
Why We Hate Telegram Group Pump (And You Should, Too!)