KyberSwap gave 0.05 USDT for $2M USDC

Here’s how one unlucky user paid $2,080,468.85 to receive $0.05 of USDT. The unfortunate soul used the KyberSwap aggregation router to dump a large clip of 3CRV (DAI/USDC/USDT) LP token into USDT. In his haste to swap, he neglected to set his slippage correctly. Or, like, at all. He hits send.

kyberswap hack

The next actor in our story is Uniswap V2 pool 0x7d36fbd3, pairing 3CRV/USDC. This pool contained about $2 in liquidity, and had sat idle for the last 251 days. 2 million 3CRV slam into the pool with the force of a thousand suns, and x * y = k does its grim work. Exactly 54182 units of USDC, worth about 5 cents, leave the contract for the second leg of the swap, where they are happily swapped into USDT, and go on to the swapper.

The pool, now hideously imbalanced, cries out for aid. An MEV bot answers the call, and gently restores the balance by exchanging 1.45 USDC for  the 2M 3CRV in the pool. KyberSwap postmortem basically confirms what we suspected that the user accepted an exceptionally low output amount.

Lots of people railing against MEV here, but this is really more of a dapp side failure afaik. hope kyber makes this poor soul right if it was their frontend that is at fault here.