KyberSwap hacker offers $4.6M bounty for return of $46M loot

cointelegraph.com:

The decentralized exchange KyberSwap has offered a 10% bounty reward to the hacker who stole $46 million on Nov. 22 and left a note of negotiation. The exchange wants 90% of the loot returned by 6 am UTC on Nov. 25.

On Nov. 23, KyberSwap alerted users that its liquidity solution, KyberSwap Elastic, was compromised and advised them to withdraw funds. In the meantime, on Nov. 22, the hacker made away with roughly $20 million in Wrapped Ether (wETH), $7 million in wrapped Lido-staked Ether (wstETH) and $4 million in Arbitrum (ARB) tokens. The hacker then siphoned the loot across multiple chains, including Arbitrum, Optimism, Ethereum, Polygon and Base.

After hiding the stolen funds, the hacker wrote an on-chain message directed to KyberSwap developers, employees, decentralized autonomous organization members and liquidity providers, stating, “Negotiations will start in a few hours when I am fully rested.”

Following a day’s silence from both ends, KyberSwap responded to the hacker requesting the return of 90% of the stolen funds. The team acknowledged the skills of the hacker and laid down an offer:

If the hacker fails to pay back or respond to KyberSwap by 6 am UTC, Nov. 25, “you stay on the run,” said KyberSwap. The team is open to further discussion with the hacker via email.

Related: KyberSwap announces potential vulnerability, tells LPs to withdraw ASAP

A dissection of the recent KyberSwap hack by a decentralized finance (DeFi) expert suggests that the attacker used an “infinite money glitch” to drain funds.

Ambient exchange founder Doug Colkitt explained the KyberSwap attacker relied on a “complex and carefully engineered smart contract exploit” to carry out the attack.

1/ Finished a preliminary deep dive into the