KyberSwap hacker demands full control over the DEX at ‘fair valuation’
In an unprecedented ultimatum, the hacker behind November's KyberSwap attack has insisted on full control over the project, including forfeiture of assets, documents, and governance controls.
The hacker responsible for the $48 million KyberSwap heist has escalated their demands, now seeking complete executive control over the decentralized exchange (DEX).
The hacker revealed the updated demands in an on-chain message sent on Nov. 30.
They had previously expressed willingness to negotiate a bounty but complained of receiving threats and a general lack of friendliness from KyberSwap’s executive team on Nov. 28.
The hacker’s latest demands include total control of KyberSwap and temporary and full ownership of KyberDAO, the platform’s governance mechanism. Additionally, they are asking for all documents related to the company’s structure, profits, revenue, assets, liabilities, and employee salaries. The attacker also insists on receiving all KyberSwap assets, encompassing both on-chain and off-chain holdings.
In return, the hacker promises to buy out the company’s executives at a “fair valuation” and pledges to double the salaries of employees who choose to remain post-takeover. Those opting to leave are offered a 12-month severance package.
The message also outlines plans for a “complete makeover” of the Kyber project, aiming to increase the value of its tokens, which the hacker currently deems “worthless.” Liquidity providers (LPs) affected by the attack are promised a rebate equaling 50% of their recent market-making losses.
The hacker has set a deadline for the KyberSwap team to meet these demands by Dec. 10, or the offer becomes void. Additionally, any agent contact regarding the hacker’s trades on KyberSwap will nullify the proposed “treaty.”
The hacker’s unprecedented move has been met with a mix of alarm and skepticism in the crypto community. It has also renewed debate around the security of decentralized protocols and how to improve them.
KyberSwap has yet to respond
The DEX’s leadership team has not yet responded publicly to the hacker’s latest message.
KyberSwap initially offered a bounty deal, proposing the hacker return 90% of the stolen funds and keep the remaining 10%. However, following the hacker’s lack of immediate compliance, KyberSwap threatened legal action and claimed to have the exploiter’s digital footprints for tracking.
The DEX also announced plans for a public bounty program to encourage information leading to the hacker’s arrest and the recovery of user funds.
From the $46 million stolen, KyberSwap has managed to recover $4.67 million, attributed to actions by operators of front-running bots on the Polygon and Avalanche networks.
The exploit, described as an “infinite money glitch” by decentralized finance expert Doug Colkitt, was a complex smart contract exploit across several networks, including Avalanche, Polygon, Ethereum, Arbitrum, Optimism, and Base.