KyberSwap, a decentralized exchange designed to allow users to swap tokens between blockchains, confirmed on Thursday that it suffered an exploit on its front-end web code.
The attackers were able to steal around $265,000 in cryptocurrency funds before the Kyber team was able to put an end to the attack.
Decentralized finance, or DeFi, refers to peer-to-peer financial services run using blockchain technology, using it people can do most things that banks can do like transfer funds, earn interest, borrow, trade assets and similar activities, without the need for centralized authority. KyberSwap enables the exchange of cryptocurrency assets between blockchains on a decentralized token exchange and acts as a market maker for its users, allowing them to trade tokens at the best market rates.
Unlike other DeFi protocols that have fallen victim to exploits over the past year, Kyber smart contracts did not host the vulnerability. Instead, the problematic code was discovered in the user interface.
“On September 1, 15:24 GMT+7, we identified a suspicious element on our interface,” the team at Kyber Network, KyberSwap’s infrastructure group, wrote about the exploit in the announcement. “While shutting down our front-end to conduct investigations, we identified malicious code in our Google Tag Manager (GTM), which inserted a fake endorsement, allowing a hacker to transfer a user’s funds to their address.”
Google Tag Manager scripts are commonly used by websites to track users for analytics purposes, such as pages visited, length of stay, and IP addresses from which they visit. Google’s analytics scripts hold nearly 70% of the total web analytics market share, according to Statista.
In the case of Kyber, whatever source Google Tag Manager comes from, it may have been corrupted by a bad actor, inserting the malicious code.
Once the issue was discovered, Kyber disabled the front-end UI and quickly communicated it to the community. The malicious code as discovered and the GTM were then also disabled.
“The script had been quietly injected and specifically targeted whale wallets with large amounts,” the Kyber team said.
Whales are what the community refers to as people or entities that hold large amounts of cryptocurrency. As a result, they are very likely to be targeted by hackers who intend to steal their funds.
Although the team cut the attackers, they were still able to take $265,000 worth of Aave Matic USDC tokens from two different “whale accounts” in four trades.
Luu added that the Kyber team is ready to reimburse the losses to the two victims. He has contacted one and is reaching out to the other.
Currently, Kyber does not know exactly how the malicious code injection occurred. However, Luu assuaged community concerns by stating that he is certain that the code has been completely cleaned up from the start.
The team then urged other protocols and companies working within DeFi to audit their code, especially when working with third-party libraries.
Now that the incident is over, the Kyber Network team is offering a 15% bounty worth $40,000 to hackers upon returning the stolen funds. Kyber added that he is aware of the attacker’s crypto addresses and OpenSea market profiles, so it will be difficult for them to “cash out”.