Exploit on Kolibri

The impact of unintended consequences

Yesterday 20 December 2021 we received notifications of a possible exploit on the Kolibri platform on Tezos. We at ubinetic as builders of the youves platform with a similar offering take such events extremely seriously. So after some initial analysing, we believe we understand how the exploit works.

To explain how we first need to establish some of the functionality of Kolibri:

The following is our understanding of the exploit:

Quipuswap tez vs. kUSD pool at the time of writing.

Theoretical impact of trading in the current pool on Quipuswap.

So in summary what the attacker does to exploit this vulnerability is:

▹ Push the price on Quipuswap as much as possible (if you don’t have the funds yourself use a flash loan).

▹ Trigger the liquidator to target that oven.

▹ The oven is liquidated and the liquidation pool buys overpriced kUSD back.

▹ Push the price back to the price before the manipulation.

The fact that the vulnerability was exploited is unfortunate for people that had their kUSD locked in the liquidity pool. However, we are convinced that Kolibri as a protocol will become more resilient and more secure because of this event. Furthermore seeing these kinds of attacks happening in the world of Tezos DeFi also is a side effect of its growth and success. The fact that technically skilled engineers take the time to understand the various smart contracts and mechanics shows how the ecosystem is maturing and professionalizing.

It’s also important to mention that the challenge with automatic buybacks on AMMs is not unique to Kolibri. This is also relevant for youves, more specifically the last amendment (YIP-002) introduces a unified taking pool that will sell the rewards and buy-back YOU tokens, having discussed these kinds of scenarios we decided to introduce specific rules to mitigate this risk.

The youves team already reached out to the Kolibri engineers and is going to provide support and help if needed.

Related posts:

As I have mentioned in previous blog posts we have been planning a holiday in Malaysia for a long time. So finally we finalized our trip and we were traveling about to travel in July 2022. I have…

Blockchain and Cryptocurrency have taken the world by storm and shaken the foundation that the modern civilization is built on. Cryptocurrency has been received in different ways by different…

To set up OpenSpiel on a MackBook, we would build a Docker image of Ubuntu 18.04 which we would further run commands against. For whom doesn’t have Docker installed on their MacBook, you can instead…