KyberSwap’s $47M Reentrancy Attack: A Deep Dive into the Exploit
Let’s take a closer look inside a $47M reentrancy attack on KyberSwap.
🇺🇦 Hacken stands with Ukraine!Learn more
LBank is a Hong-Kong based crypto exchange focused mainly on the Chinese market. The exchange is ranked 12th by Coin Market Cap with $237.5 mln 24h trade volume (as of October 22).
The exchange’s English website version and description of the company state that it was launched in October 2016 whilst its Twitter account and domain were registered in September 2017. Plus, its earliest trade history was noticed in September 2017. Maybe it’s just a typo? Highly doubt that!
You hoped that the riddle has finished? Nope! If you’d want to get to know more about LBank’s team you probably won’t be able to. Why? Because there is almost no public information regarding it. There is only a mention of Eric He, the co-founder of the exchange, but we couldn’t find any further information about him or other staff members. However, we managed to spot Claudia Olah, the director of global marketing for RadarWin Investment Management Co. Ltd. This company deals with investing in hi-tech and blockchain projects including DAEX.io and LBank exchanges (see fig 2). So far, she’s our only lead.
After you verify your LBank account and set additional “asset password”, you’d be able to connect it to the following fiat payment methods: bank card, Alipay, and WeChat payment.
LBank exchange doesn’t offer fiat-to-crypto trading but allows to buy/sell crypto for CNY and USD via peer-to-peer OTC feature. Besides, the platform provides crypto trading in 119 pairs in 5 markets:
After having reviewed 6 most active pairs accounting for 70-80% of LBank’s total 24h trade volume: BTC/USDT, QTUM/BTC, QTUM/ETH, QTUM/USDT, EOS/ETH, ZEC/ETH, we noticed that the daily charts for all 6 pairs have different periods of the suspiciously stable trade volume until the middle of July 2018. Do you know what we think? Yes, such volume performance suggests nothing more but artificial nature. We assume that the volume was tailored to create a false appearance of high liquidity since from the middle of July 2018 the daily volume values have become more variable.
There are also many inconsistencies between price moves and trade volume performance. Under normal market conditions, trade volume rises along with sharp price jump or decline, but LBank’s charts often show low volume during the period of high volatility and large volume spikes in less volatile periods. What’s more, the periodicity of transactions, and especially amounts, seems to be intentionally randomized as well (see figs 3-8).
Smells like trade volume manipulation? It definitely does to us!
For the LBank’s cybersecurity assessment, we used the new version of the CER Cybersecurity Score (CSS) calculation model, which has not been implemented in CER platform yet.
As you see, the exchange got only 7.51 out of 10 points due to the absence of bug bounty programs, medium password requirements, along with weak Web Application Firewall (WAF) and HTTP headers report.
Bug Bounty program — is a crowdsourcing initiative that rewards individuals (ethical hackers) for discovering and reporting software bugs. Currently, LBank doesn’t conduct any bug bounty programs neither self-hosted nor via specialized third-party resources like HackenProof.
Strong user password is one of basic account security measures. LBank has medium password requirements: length of 8-20 characters, consisting of letters and numbers.
Web Application Firewall (WAF) – exchange protection from all kinds of attacks: sqli, rce etc. WAF — an application-level security cover designed to detect and block modern attacks on Web applications. Note that it’s THE MOST IMPORTANT component of cybersecurity. WAF availability check showed that LBbank is using freeware OWASP ModSecurity Core Rule Set which can be bypassed with little effort.
HTTP security headers is a fundamental part of website security. Upon implementation, they protect a user against the types of attacks that a site is most likely to come across.
LBank’s site has a warning regarding weak parameters of Strict-Transport-Security and misses other 5 (out of 7) headers: Content-Security-Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy, and Feature-Policy.
For our marketing analysis, we’ve compared LBank with Kraken, KuCoin, and Gemini.
Here is a quick snapshot of exchanges in question from CoinMarketCap (CMC) as of November 1, 2018. The figures highlighted in a red box are “30 Day Adjusted Trading Volume”.
As you can see, LBank is a dominant leader among the group.
We used SimilarWeb Pro to get the LBank’s user traffic data over the last six months, and then compared the results:
As we can see, LBank’s traffic is far away from Kucoin or Kraken and is about 5 times lower than Gemini’s one. We see the similar picture over the Average unique visitors per period:
The only question left: how can it be true considering the fact that Lbank’s trade volume is several times higher than ones of its peers?
Again, LBank is demonstrating much less engagement than its peers. KuCoin and Kraken are not even on a level playing field with 30 times more followers on their Twitter accounts. Weird, isn’t it?
Isn’t it suspicious that despite miserable website traffic and Twitter community LBanks has the 10 times higher trading volume compared to Gemini?!
Kraken, Kucoin, and Gemini trade about $300-$2000 per unique user, whereas LBank trades more than $65 000 per unique visitor. It’s even 5 times higher than trade volume per user on Bitforex ($12 824). This is obviously a suspicious KPI. Seems like we’ll never hear the end of it!
As we can see, CoinMarketCap is by far the largest source of LBank’s referral traffic. It means nothing else but that LBank artificially boosts their trading volume to get to the “top” of CMC rank. This is a “growth hacking tactic” exchanges use to increase traffic flow to their website.
The conclusion is pretty much the same as in all the researches that we do regarding controversial exchanges — low traffic volume, low community engagement levels, and out of the chart trading volumes that vastly surpass well-established crypto exchanges.
Based on the results of liquidity, cybersecurity, and marketing analyses, we determined clear pros and cons of the Lbank. Considering them, we can conclude that LBank is unreliable exchange for crypto trading, due to apparently falsified liquidity and exploitable cybersecurity issues.
Download the Full Report to get more details on our inference
P.S. Stay woke – trust only reliable exchanges.