After the Curve Finance exploit last month, the decentralized exchange (DEX) KyberSwap joins the list of DeFi projects to suffer a front-end exploit.
On Friday, the Kyber Network, the liquidity protocol on which KyberSwap is built, confirmed reports, adding that the attack on its website was quickly identified and fixed within a few hours.
“At 3.24 pm GMT+7, we identified a suspicious element on our frontend,” Kyber Network tweeted. “Shutting down our frontend to conduct investigations, we identified a malicious code in our Google Tag Manager (GTM) and immediately disabled it.”
Per the company’s announcement, the thieves were able to compromise the app’s front end through the Google Tag Manager (GTM) script.
GTM scripts are often used by websites for tracking user activity and data for analytical purposes.
Using the injected malicious script via GTM, the hackers made users approve their funds and sent them to the hacker’s address.
“This is the first time a hack happened to us after five years, unfortunately, but our team handled this incident exceptionally well,” tweeted Loi Luu, Kyber’s co-founder. “Within a few hours since the hack is detected, we identified the malicious code (loaded on-the-fly via a reputable 3rd party js lib), removed it.”
Before the fix, however, the hacker was able to move $265,000 worth of Aave Matic interest-bearing USDC (AMUSDC) tokens in four transactions.
Aave exists on Ethereum as well as several other blockchains, including Polygon. The above token represents a deposited USDC stablecoin on Aave’s Polygon integration. Each time a token like this is deposited on the lending platform, users receive the interest-bearing version to represent their deposit.
It is this interest-bearing version that the hackers nabbed in Friday’s exploit.
Kyber Network warned all their users to double-check their approvals using the approval tool provided by the block explorer, polygonscan.
6/ If you suspect or find that your address has interacted with the malicious script or has been given wrongful approval, we have provided instructions to revoke the approval in our blog post https://t.co/3qDRccZKPs
— Kyber Network (@KyberNetwork) September 1, 2022
The DeFi project’s smart contracts appear unaffected.
$40,000 bounty for KyberSwap exploiters
Kyber Network has offered a 15% bounty worth $40,000 to the hackers if they return the stolen funds. The remaining funds are asked to be transferred to a wallet address provided by the company.
As of this writing, no funds have been returned.
This is not the first time the crypto industry has faced a hack, nor will it be it's last. Two of the largest-ever hacks occurred this year, first to an Ethereum-to-Solana bridge network in January and then again to Axie Infinity’s crypto bridge called Ronin in March.
In total, these two hacks alone made up $878 million in losses for users at that time.