Rob Behnke
September 8th, 2022
In September 2022, the KyberSwap Network multichain DeFi platform was the victim of a hack. The attacker exploited the platform’s frontend website to steal approximately $265,000 in tokens from one user wallet.
Unlike many DeFi hacks, the Kyber Network attacker targeted the platform’s frontend systems rather than its smart contracts. In this case, the attacker injected malicious code into its Google Tag Manager, which supports the site’s Google Analytics, allowing the hacker to transfer the user’s funds into their own wallet.
This malicious code was designed specifically to target whale wallets containing large amounts of cryptocurrency. When a user attempted to perform a transaction on the Kyber Network platform using one of these high-value wallets, the malicious code would modify the transaction to include approvals for the attacker’s address. The attacker could then use these approvals to drain value from the high-value wallets.
The attacker successfully stole a total of $265,000 worth of Aave Matic interest-bearing USDC (AMUSDC) in 4 transactions from one wallet on Polygon. Another wallet was targeted but managed to revoke the malicious approvals before the attacker could use them to drain funds.
After the Kyber Network team identified the issue, they disabled the GTM and restored normal operations within two hours. The affected wallet has also been fully compensated, and, with the help of Binance, has identified two parties involved in the attack.
The Kyber Network hack demonstrates the importance of securing frontend code as part of a DeFi project. In this case, a smart contract security audit would have identified no issues as the smart contracts were not vulnerable or targeted in the attack.
Only a holistic security audit and ongoing security monitoring and implementation of security best practices could have prevented the Kyber Network hack. For more information about holistic audits of your DeFi project or for help in developing a security program designed to thwart similar attacks, reach out to our team of blockchain security experts at halborn@protonmail.com.