A malicious Google Tag Manager (GTM) website code allowed a hacker to steal $265,000 of users’ funds. The hack was targeting whales’ wallets.
On September 1st, 8:24 PM UTC, KyberSwap discovered a bug in its website code which allowed hackers to steal approximately $265,000.
According to the DeFi platform, two “whale” addresses were apparently affected by the attack. KyberSwap announced its intention to all affected users. Kyber claimed it discovered the exploit that allowed hackers to insert fake approvals, allowing them to transfer funds to an address. The attack was detected on Sept. 1, and the threat was “neutralized” within two hours.
What happened to KyperSwap?
KyberSwap was the victim of a website exploit. On Sept 1st, 8:24 PM UTC, they discovered a suspicious element on their front end. In order to further investigate the issue, they decided to shut down the website while the smart contracts and everything related to the blockchain were not disturbed. The issue was a malicious Google Tag Manager (GTM), which allied the attacker to steal users’ funds.
1/ ❗️Notice of Exploit of KyberSwap Frontend:
— Kyber Network (@KyberNetwork) September 1, 2022
We identified and neutralized an exploit on the KyberSwap frontend. Affected users will be compensated. We have summarized the details in this thread⬇️
It seems that the Google Tag Manager was designed to specifically target whale wallets to grant the attacker access to larger funds. After the code was eliminated, the KyberSwap UI was restored and made available for users. The UI was unavailable for just over two hours. Meanwhile, the malicious code was eliminated from the KyberSwap UI, and the hacker’s wallet was identified.
The KyberSwap announced to its users about the recent bug on the platform’s Twitter account and urged other DeFi protocols to inspect their frontend code to prevent similar attacks.
This decentralized exchange allows users to trade currencies across different blockchains. The blockchain contracts of KyberSwap were not affected. They have also identified the affected addresses.
1/ ❗️Notice of Exploit of KyberSwap Frontend:
— Kyber Network (@KyberNetwork) September 1, 2022
We identified and neutralized an exploit on the KyberSwap frontend. Affected users will be compensated. We have summarized the details in this thread⬇️
Kyber tweeted, “We have compiled a complete list of confirmed and suspected attacker addresses used during this period, including tracking interactions with centralized exchanges and OpenSea.”
While this attack ranks amongst the lowest losses suffered by the DeFi projects, these thefts add up to millions of dollars that have disappeared from users’ funds. It also makes it very clear to anyone paying attention that DeFi platforms have penetrable UIs that can be exploited by creative hackers.
KyberSwap is not safe to use, although users are advised to exert caution when doing so.
A complete list of the confirmed and suspected attackers’ addresses have been made public on their blog. There’s also a complete list of the addresses of the smart contracts related to using KyberSwap. Additional info about the incident can be found in the same blog – Notice of Exploit of KyberSwap Frontend.
Will KyberSwap retrieve the stolen funds?
Blockchain transactions are irreversible, and KyberSwap might not be able to get the funds back, even if they have traced the wallets. The only way to get the stolen funds back is if the hackers decide to transfer them back.
For that reason, the Kyber protocol has urged the attacker to send the funds back. Not only that, but they are offering a bug bounty of 15% from the stolen funds.
Here’s the message for the KyberSwap hacker:
“Hello attacker. We know the addresses you own have received funds from central exchanges, and we can track you down from there. We also know the addresses you own have OpenSea profiles and we can track you through the NFT communities or directly through OpenSea. As the doors of exchanges close upon you, you will not be able to cash out without revealing yourself. As a bug bounty, we are offering you 15% of the funds if you return it and have a conversation with our team. To confirm, send the funds to the following Polygon address: 0x2dc0ba6ba3485edd61f17ffabf4c7a9626001d50”