DeFi platform KyberSwap suffers $265,000 loss in user interface exploit

KyberSwap, a decentralized exchange built to allow users to swap tokens between blockchains, confirmed Thursday that it has suffered an exploit to its front-end web code.

Attackers were able to steal about $265,000 in cryptocurrency funds before the Kyber team was able to shut down the attack.

Decentralized finance, or DeFi, refers to peer-to-peer financial services executed using blockchain technology, using it people can do most things that banks can do such as transfer funds, earn interest, borrow, trade assets and similar activities, without the need for a centralized authority. KyberSwap allows for the exchange of cryptocurrency assets between blockchains on a decentralized token exchange and acts as a market maker for its users, allowing them to exchange tokens at the best market rates.

Unlike other DeFi protocols that have fallen victim to exploits in the recent year, Kyber’s smart contracts did not host the vulnerability. Instead, the problematic code was discovered in the user interface.

“On 1 Sep, 3.24PM GMT+7, we identified a suspicious element on our frontend,” the team at Kyber Network, the infrastructure group for KyberSwap, wrote about the exploit in the announcement. “Shutting down our front end to conduct investigations, we identified a malicious code in our Google Tag Manager (GTM), which inserted a false approval, allowing a hacker to transfer a user’s funds to his address.”

Google Tag Manager scripts are commonly used by websites to track users for analytics, such as what pages are visited, how long they stay and what IP addresses they visit from. Google’s analytics scripts hold almost 70% of the market share of total analytics across the web, according to Statista.

In Kyber’s case, whatever source the Google Tag Manager came from may have been corrupted by a bad actor, inserting the malicious code.

Once the issue was discovered, Kyber disabled the front-end user interface and quickly communicated it to the community. The malicious code as discovered and the GTM was then also disabled.

“The script had been discreetly injected and specifically targeting whale wallets with large amounts,” the Kyber team said.

Whales are what the community refers to people or entities who hold large amounts of cryptocurrency. As a result, they are highly likely to be targeted by hackers who intend to steal their funds.

Although the team cut off the attackers, they were still able to take $265,000 worth of Aave Matic USDC tokens from two different “whale accounts” in four transactions.

“This is the first time a hack happened to us after five years, unfortunately, but our team handled this incident exceptionally well,” Kyber co-founder Loi Luu said in a tweet. “Within a few hours since the hack is detected, we identified the malicious code (loaded on-the-fly via a reputable 3rd party [JavaScript]), removed it.”

Luu added that the Kyber team is prepared to refund the losses to both victims. It has contacted one and is reaching out to the other.

Currently, Kyber does not know exactly how the malicious code injection happened. However, Luu soothed community concerns by stating that he is certain that the code has been completely cleansed from the front end.

The team went on to urge other protocols and companies working within DeFi to audit their code, especially when working with third-party libraries.

Now that the incident is over, the Kyber Network team is offering a 15% bounty, worth $40,000, to the hackers upon the return of the stolen funds. Kyber added that it is aware of the attacker’s crypto addresses and OpenSea marketplace profiles, so it will be difficult for them to “cash out.”

Photo: Production Perig