Kyber Network said, “As a bug bounty, we’ll give you 15% of the money if you bring it back and talk to our team.” One Kyber wallet had $265,000 stolen from it on September 1.
Kyber Network, a multichain decentralized finance (DeFi) platform, said it took away the attack vector that was used in an exploit on Sept. 1 that led to the theft of $265,000.
Two wallets were affected by the attack, and Kyber said in an update Tuesday that one of the wallets has been fully reimbursed for the money it lost.
“The other wallet gave permissions to the malicious script and was able to take back those permissions before losing any money,” Kyber said.
After the attack, Kyber said that the threat had been “neutralized” in two hours.
The attack took advantage of a weakness in the code of Kyber’s website. In this way, it was different from other DeFi attacks, which usually target blockchain contracts. Even though the loss was not too big, the attack showed how DeFi platforms can be used by bad people in many different ways.
The Google Tag Manager (GTM) script let the thieves get into the app’s front end, the company said in a statement.
Websites often use GTM scripts to keep track of user activity and data so they can analyze it.
Using a malicious script injected through GTM, hackers forced users to approve their funds and send them to the hackers’ address.
“This is the first time in five years that we’ve been hacked, which is sad, but our team handled it very well,” tweeted Kyber’s co-founder Loi Luu. “Within a few hours of finding out about the hack, we found the bad code (which was loaded on the fly by a trusted third-party js library) and took it out.”
Before the fix, the hacker could move $265,000 worth of Aave Matic USDC (AMUSDC) tokens that paid interest in four separate transactions.
Aave is available on Ethereum and a number of other blockchains, such as Polygon. The above token is a USDC stablecoin that has been deposited through Aave’s Polygon integration. When a token like this is put on the lending platform, the person who put it there gets the version that earns interest.
In Friday’s hack, the hackers stole this version, which paid interest.
The KyberSwap platform is a decentralized exchange where users can trade between currencies on different blockchains.