Attackers were able to steal approximately $265,000 in cryptocurrency funds before the Kyber team were able to shut down the attack.
Decentralized finance, or DeFi, refers to peer-to-peer financial services executed using blockchain technology, using it people can do most things that banks can do such as transfer funds, earn interest, borrow, trade assets and similar, all without the need for a centralized authority. KyberSwap allows for the exchange of cryptocurrency assets between blockchains on a decentralized token exchange and acts as a market maker for its users, allowing them to exchange tokens at the best market rates.
Unlike other DeFi protocols that have fallen victim to exploits in the recent year, Kyber’s smart contracts did not host the vulnerability, instead, the problematic code was discovered in the user interface.
“On 1 Sep, 3.24PM GMT+7, we identified a suspicious element on our frontend,” the team at Kyber Network, the infrastructure group for KyberSwap, wrote about the exploit in the announcement. “Shutting down our front end to conduct investigations, we identified a malicious code in our Google Tag Manager (GTM), which inserted a false approval, allowing a hacker to transfer a user’s funds to his address.”
Google Tag Manager scripts are commonly used by websites to track users for analytics, such as what pages are visited, how long they stay and what IP addresses they visit from. Google’s analytics scripts hold almost 70% of the market share of total analytics across the web, according to Statistica.
In Kyber’s case, whatever source the Google Tag Manager came from may have been corrupted by a bad actor, inserting the malicious code.
Once the issue was discovered, Kyber disabled the front-end user interface and quickly communicated this to the community. The malicious code as discovered and the GTM was then also disabled.
“The script had been discreetly injected and specifically targeting whale wallets with large amounts,” the Kyber team said.
Whales are what the community refers to people or entities who hold large amounts of cryptocurrency. As a result, they are highly likely to be targeted by hackers who intend to steal their funds.
Although the team was able to cut off the attackers, they were still able to take approximately $265,000 worth of Aave Matic USDC tokens from two different “whale accounts” in four transactions.
Luu added that the Kyber team is prepared to refund the losses to both victims and has already contacted one and is reaching out to the other.
Currently, Kyber does not know exactly how the malicious code injection happened. However, Luu soothed community concerns by stating that he is certain that the code has been completely cleansed from the front end.
The team went on to urge other protocols and companies working within DeFi to audit their code, especially when working with third-party libraries.
Now that the incident is over, the Kyber Network team is offering a 15% bounty, worth $40,000 to the hackers upon the return of the stolen funds. Kyber added that it is aware of the attacker’s crypto addresses and OpenSea marketplace profiles, as a result it will be difficult for them to “cash out.”