Recently, the decentralized exchange (DEX) aggregator and liquidity protocol KyberSwap lost $265k due to a frontend vulnerability.
The team at KyberSwap discovered that an attacker had inserted malicious code into the protocol’s Google Tag Manager (GTM), allowing them to steal user cash. GTM enables the platform to easily change code pieces known as tags.
As part of their research, the project team determined that an assault on the GTM was the reason and deactivated it. With this, the hacker’s destructive code was terminated, and “no more suspicious behavior” occurred.
According to KyberSwap, the hacker “particularly targeted whale wallets with high quantities” but was only managed to take $265,000 from two Polygon addresses. While the exploiter has yet to be identified, the protocol has said that it would pay the two impacted addresses as well as any additional addresses that may have been compromised.
The team has found Ethereum and Polygon addresses associated with the attacker and is presently monitoring them. The team has found other crypto-based accounts on sites like OpenSea tied to the malicious actor. Centralized exchanges were also warned of the assault and instructed to stop the attacker’s attempts to transfer the cash.
The KyberSwap team then said that if the attacker returned the cash and spoke with them, he would get 15% of the funds as a bug bounty.
Since the proliferation of decentralized apps in 2020, there has been an increase in vulnerabilities of many types. Although front-end vulnerabilities are not widely utilized by hackers, flash loans have regularly assisted numerous successful intrusions.
In July, the Solana, California-based DeFi yield platform Nirvana experienced a flash loan attack and lost around $3.5 million. In April, the Deus Finance protocol was hacked for almost $13 million using a flash loan vulnerability.
The Axie Infinity attack caused the highest loss of $625 million this year. The Wormhole bridge hack resulted in the transfer of $318 million to the coffers of nefarious actors.