KyberSwap Hacked for $265K - Offers 15% Bounty for Return of Funds (with Update)
"After the Curve Finance exploit last month, the decentralized exchange (DEX) KyberSwap joins the list of DeFi projects to suffer a front-end exploit. On Friday, the Kyber Network, the liquidity protocol on which KyberSwap is built, confirmed reports, adding that the attack on its website was quickly identified and fixed within a few hours" [Somraaj, S. DeFi Exchange KyberSwap Suffers $265,000 Frontend Exploit. (Accessed September 2, 2022)].
.png)
In a Blog published on September 1, 2022, Kyber Network provided the following details and timeline associated with this exploit as follows:
On 1 Sep, 3.24PM GMT+7, we identified a suspicious element on our frontend. Shutting down our front end to conduct investigations, we identified a malicious code in our Google Tag Manager (GTM)which inserted a false approval, allowing a hacker to transfer a user’s funds to his address.
At 4pm GMT+7 we announced to our community that we had disabled the UI, during which we investigated the cause of the frontend exploit. A malicious code in our GTM was identified upon which we disabled GTM [...]
Conducting further checks, we found that after disabling GTM, the bad script was eliminated with no further suspicious activity. The script had been discreetly injected and specifically targeting whale wallets with large amounts. We restored the UI, with the steps after to identify all of the attackers’ addresses, and identify the extent of the damage, and which addresses were affected. We announced the UI going live again at 5.46pm GMT+7.
[Kyber Network. Notice of Exploit of KyberSwap Frontend — All funds will be reimbursed. (Accessed September 2, 2022)].
This Blog continued by providing the 'Confirmed Attacker Addresses & Suspected Attacker Addresses' which for informational purposes are set forth at length:
Attacker’s address:
- 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80 (Polygon & Ethereum)(Confirmed)
- Address receiving tokens when 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80 call transfer from:
0xfd6f294f3c9e117dde30495770ba9b073c33b065 (Polygon) (Confirmed)
0xb9943d5ab8b3a70925714233d938dd62e957f92e (Ethereum) (Confirmed)- Addresses supplying native tokens to 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80 and other attacker’s (confirmed and suspected) address excluding all CEX addresses:
Polygon:
0x9bc22f7e0234029eaf2c570588d829f07123fdd6 (confirmed) - Hack test address
- 0x6fd64b2555fa6d1bf8564f728da7eae8ad1397b1 (suspected)
— Sent matic to 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80
— https://opensea.io/Obolonchik
https://opensea.io/assets/matic/0xa9a6a3626993d487d2dbda3173cf58ca1a9d9e9f/87585141242935445043385798402757836623055821569575190448604925000384430867121- 0x8152e9e1b7408b5f7c02ca54f85f245e7d013b5d (suspected)
— Sent matic to 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80
— https://opensea.io/qwekurasa- 0x2f5173967e1fb95f936dfcd6400bc2e533cf3708 (suspected)
— Sent matic to 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80
— https://opensea.io/maddmax77- 0x97f0df5bd8c40cbb27c2631b269d507fadc49f34 (suspected)
— Sent matic to 0x57A72cE4fd69eBEdEfC1a938b690fbf11A7Dff80- 0x60ef468b2704cfb75edc025531a03816cc69f99c (suspected)
— Sent matic to 0xfd6f294f3c9e117dde30495770ba9b073c33b065
https://opensea.io/0x60EF468B2704cFB75EdC025531a03816cC69f99CEthereum:
- 0x44183fd1a79704f79e0986c6380dd9bfbbc7e6d2 (confirmed)
— Hack test address
[Id].
This useful Blog goes further by providing instructions to revoke malicious approvals. For transactions on the Ethereum chain:
- Go to https://etherscan.io/tokenapprovalchecker input your wallet address for searching
- Check if you have any records that the Approved Spender is 0x57a72ce4fd69ebedefc1a938b690fbf11a7dff80.
- If you don’t have any records, this address is safe and you can ignore next steps
- If you have any records as specified, go to the next step
- Connect your wallet by pressing the “Connect to Web3” button
- Revoke all records that have the Approved Spender is 0x57a72ce4fd69ebedefc1a938b690fbf11a7dff80 by pressing the “Revoke” button on the right side and sign the revoked transactions in your wallet
- Details about steps with animation on how to revoke a spender here
- Make sure all your addresses are checked
[Id].
For transactions on the Polygon chain:
- Go to https://polygonscan.com/tokenapprovalchecker, input your wallet address for searching
- Check if you have any records that the Approved Spender is 0x57a72ce4fd69ebedefc1a938b690fbf11a7dff80.
- If you don’t have any records, this address is safe and you can ignore next steps
- If you have any records as specified, go to the next step
- Connect your wallet by pressing the “Connect to Web3” button
- Revoke all records that have the Approved Spender is 0x57a72ce4fd69ebedefc1a938b690fbf11a7dff80 by pressing the “Revoke” button on the right side and sign the revoked transactions in your wallet
- Details about steps with animation on how to revoke a spender here
- Make sure all your addresses are checked
[Id].
After restating that "If your address and funds have been compromised KyberSwap will compensate you for funds lost" [Id], the Blog provided a look into the next steps Kyber intends to take:
Kyber Network is 100% committed to creating and maintaining a decentralized platform that is secure for users and partners, and today’s events show while our team has been swift to address the issue and is committed to making users whole, there is much to do to keep DeFi secure moving forward. Forensic investigations are already under way to identify further information about the attackers, and KyberSwap is in touch with various exchanges to block any funds transfer from the attackers’ wallets and identify them. This attack does not affect our progress and operations moving forward.
[Id].
This Blog closed with a pointed message from Kyber to the hacker:
Hello attacker. We know the addresses you own have received funds from central exchanges and we can track you down from there. We also know the addresses you own have OpenSea profiles and we can track you through the NFT communities or directly through OpenSea. As the doors of exchanges close upon you, you will not be able to cash out without revealing yourself. As a bug bounty, we are offering you 15% of the funds if you return it and have a conversation with our team. To confirm, send the funds to the following Polygon address: 0x2dc0ba6ba3485edd61f17ffabf4c7a9626001d50
[Id].
"Hackers have used exploits to execute attacks on many decentralized finance protocols, including $100 million being removed from the Horizon Bridge in June and draining $200 million worth of crypto from the Nomad token bridge in August. Cointelegraph reported on Aug. 11 that the overwhelming majority of attackers responsible for the Nomad bridge hack copied the original exploit, directing funds to addresses they chose" [Wright, T. Kyber Network offers bounty following $265K hack of decentralized exchange. (Accessed September 2, 2022)].
UPDATE
[September 3, 2022 @ 06:43 ET]
"While investigations were underway, KyberSwap offered a 10% bounty — of roughly $40,000 — to the hacker as means to remediate the situation. Parallelly, based on an independent investigation, Binance’s security team identified two suspects that may be responsible for orchestrating the virtual heist. Binance CEO Changpeng ‘CZ’ Zhao confirmed that the intel had been sent to the Kyber team" [Sarkar, A. Binance identifies KyberSwap hack suspects, involves law enforcement. (Accessed September 3, 2022)].
.png)
Being the biggest crypto exchange in terms of trading volume, Binance’s proactive and selfless effort to help investors from other ecosystems didn't go unnoticed, as one of the community members pointed out: 'Binance is now playing the role of a big brother in the crypto space. Binance has gone beyond securing its platform to securing the entire crypto ecosystem.' If Binance’s investigation checks out, KyberSwap investors may be witness to a rare community-driven hack redemption.
[Id]
Posted Using LeoFinance Beta