Kolibri Liquidation Pool Exploit

We’re aware of a sophisticated arbitrage/economic exploit involving the kUSD/XTZ pair on Quipuswap and the Kolibri Liquidity Pool which caused losses for liquidity providers to the Kolibri Liquidity Pool.

At around 2:30PM UTC, transaction hash oo1pntsgxC1huvgj63yxtXh9HP1etQKWe4aJWFEak5vi2WNq22T (Operation oo1pnt..q22T on tzkt.io), executed a transaction to liquidate an undercollateralized oven that drained about ~1M in kUSD from the liquidity pool. The community is analyzing how this exploit was carried out and what the next steps are from here.

While we don’t think there’s imminent risk to funds in the pool, we can’t rule out that future arbitrage opportunities/economic attacks could continue to exploit the pool. Users should exercise their own judgement and caution about leaving funds in the pool.

We do know that there was no smart contract level exploit in code itself, this loss comes as a result of an economic attack that abided by the set rules of the protocol (and the safety mechanisms of Quipuswap as well), and the risk of this happening was documented in the docs (Kolibri). This economic attack only affected the value of LP tokens in the Liquidity Pool, and has no relation to your ovens, farms etc. The economics and backing of kUSD remain sound, and we have no reason to believe that the core stability mechanism is at risk.

We’re working on a full post-mortem and game plan on where we go from here with respect to the liquidity pool, so stay tuned and watch this space for updates.
There’s the possibility that the liquidity pool was un-intended collateral damage while trying to liquidate a large oven, and if that’s the case the community is willing to work with the original liquidator towards an amenable outcome if their actions were unintended.

Just to follow up here, looks like funds have been returned from the exploiter. We’re still working on the postmortem and the future work on the LP.

Huge thanks to them if they see this!

1 Like

Postmortem has been released here

1 Like