At KyberSwap, we have always been committed towards user security, with heavy investments in monitoring tools and multiple smart contract audits conducted by ChainSecurity and Hacken. It is therefore regrettable that there was a recent attack on the kyberswap.com user interface which bypassed our security oversight. At the time of attack, we worked with cybersecurity firm Calif to investigate the situation and determine root cause of the attack.
As transparency is one of our guiding principles, we want to openly share the findings from this attack with the DeFi community so that we can learn and protect against security threats together.
Before we delve into the details, it is important to note that:
- This attack was a Cloudflare and frontend exploit; isolated to the Cloudflare API Key and KyberSwap.com UI
- KyberSwap smart contracts were never at risk or exploited; DEX aggregator and Elastic and Classic liquidity protocols operated as intended
- Due to immediate emergency action taken, only 2 users were affected, with one user not losing any funds at all and the other fully reimbursed by the Kyber team
- Kyber team and DAO treasury funds were unaffected
- All malicious routes, scripts, and known attack vectors have been eradicated. kyberswap.com is currently working as intended
Summary of Exploit
KyberSwap is a decentralized exchange and liquidity platform from Kyber Network. It uses MetaMask and other blockchain wallets to help the user sign transactions to trade tokens or add liquidity. In order to use those features, users have to interact with the kyberswap.com UI/website to sign a few prerequisite transactions, including transactions that give smart contract allowance to transfer tokens out of their address. Users are supposed to give allowance only to KyberSwap’s official contract addresses.
Around 8AM UTC, September 01, 2022, our Operations Manager noticed that the kyberswap.com UI displayed an abnormal “Increase Allowance” message, instructing users via Metamask to give allowance of their assets to a suspicious address INSTEAD of our official contract address. He immediately raised this issue to our Engineering team, who confirmed within minutes that the website was exploited.
To protect users, we immediately blocked the kyberswap.com website from internet access (only allowing VPN access for the team to investigate). We also informed all our DeFi partners that had ongoing campaigns with us about this issue.
After a thorough investigation alongside external security experts, our team alongside Calif security experts identified the root cause and that Cloudflare Workers was our Achilles’ heel, mainly due to a compromised Cloudflare account of an ex-KyberSwap SRE (Site reliability engineering) employee.
Cloudflare Workers provides an interface to inject and run javascripts directly to the response of web traffic as it flows through Cloudflare proxies. The attacker had deployed a malicious javascript using a compromised Cloudflare API key that was exploited and rotated in October 2021. The hacker then used this API key to periodically inject the script via Cloudflare Workers to our kyberswap.com UI, targeting a subset of wallets – those with large holdings.
Timeline of Events
| Timeline | Description |
| Feb 20, 2016 | A domain used by hacker has been registered – coinfi.com |
| Jan 17, 2019 | Devops mailbox (used by the ex-SRE) has been created |
| May 03, 2021 | Devops account (associated with the above mailbox) logged in Cloudflare for the first time. |
| Sep 23, 2021 | A domain used to hack has been registered – cioudflare.net |
| Oct 28, 2021 | Devops account has been added into “KyberNetwork Cloudflare” with “ADMIN” role by our root account. |
| Oct 28, 2021 | A phishing email was sent to Devops mailbox with URL: https://cloudflare-ipfs.com/ipfs/QmYDFtcQy3gfuLYBkckRzkb3Bk5gVkngkgExThe2PyPZc6/?oobCode=dashboard This URL redirect to: https://dash.cloudflare.net/redirect-login?r=242787&uid=ZGV2b3BzQGt5YmVyLm5ldHdvcms%3D&redirect=https%3A%2F%2Fcloudflare-ipfs.com%2Fipfs%2FQmYDFtcQy3gfuLYBkckRzkb3Bk5gVkngkgExThe2PyPZc6%2F |
| Oct 29, 2021 | The ex-SRE got phished. the hacker logged into Cloudflare. Afterward, the hacker immediately rotated and viewed Global API Key. |
| Mar 30, 2022 | Hacker executed “purge_everything” action with kyberswap.com zone on Cloudflare. |
| Apr 10, 2022 | The ex SRE left the company. |
| Apr 11, 2022 | We kept the devops account in CloudFlare and rotated its password. |
| May 26, 2022 | A domain used to hack has been registered – logging24.com |
| May 28, 2022 | Hacker uploaded source code to his server: https://logging24.com/log.php and https://logging24.com/lib.php |
| May 24 – Aug 05, 2022 | Hacker kept executing “purge_everything” action with kyberswap.com zone on Cloudflare |
| Aug 06, 2022 | Hacker uploaded the malicious javascript to kyberswap.com and made some changes with his PHP code on his server. |
| 10:56 Aug 08, 2022 | Hacker created a route to apply his script to kyberswap.com on Cloudflare. |
| 11:03 Aug 08, 2022 | Hacker deleted all routes and scripts on Cloudflare. |
| Aug 11 – Aug 22, 2022 | Hacker kept testing his scripts with kyberswap.com |
| 08:13 Sep 01, 2022 | Hacker uploaded his scripts to Cloudflare |
| 08:13 Sep 01, 2022 | Hacker created routes to apply his scripts to kyberswap.com |
| 08:22 Sep 01, 2022 | Our Operation Manager noticed that kyberswap.com requiring some strange “Increase Allowance” popup. |
| 08:37 Sep 01, 2022 | A wallet got phished on Polygon chain. |
| 08:43 Sep 01, 2022 | Another wallet got phished on Polygon chain. |
| 08:45 Sep 01, 2022 | Our SRE disabled public access to kyberswap.com |
| 09:19 Sep 01, 2022 | Hacker deleted all scripts and routes from Cloudflare. |
| 12:05 – 15:55 Sep 01, 2022 | Hacker tried to withdraw aUSDC from a victim wallet. |
| 19:28 Sep 01, 2022 | KyberNetwork announced the incident on Twitter. |
| Sep 02 – Sep 03, 2022 | Hacker tried to withdraw WBTC from victim wallet. |
| Sep 03, 2022 | Hacker tried to enable his scripts again. |
| Sep 03, 2022 | Our SRE disabled public access to kyberswap.com |
| Sep 04, 2022 | From Cloudflare Audit Log, SRE noticed hacker did use Cloudflare worker to attack kyberswap.com |
| Sep 04, 2022 | The compromised API Key was rotated |
| Sep 04, 2022 | Our SRE removed all routes and scripts of hacker from KyberSwap zone. |
| Sep 09, 2022 | We found BadgerDAO postmortem, the attack method is similar. |
| Sep 09, 2022 | The phishing email was found in devops mailbox. |
Root cause
A phishing email was sent to our ex-SRE mailbox on October 28, 2021. His Cloudflare account had administrator privilege but anti-phishing 2FA was not enabled. The hacker got access to Cloudflare and compromised the Global API key.
Via the compromised API key, the hacker periodically deployed malicious javascript to Cloudflare Workers on August 06, 2022. His javascript targeted only wealthy wallets, not every user.
Financial damage
There were two users who were affected by the hack:
- The first user had an equivalent of approximately $265,000 in cryptocurrency transferred from his wallet to the hacker’s wallet in four separate transactions:
- https://polygonscan.com/tx/0xc42a8e5994f43a65cf8272bc7afeabf54088abf2620ea1fbb75376257b509abb
- https://polygonscan.com/tx/0xf9b887b773ac2970591bcc40c1dec5e60c0e2ae47deb83c3125d8e10c5fe15cf
- https://polygonscan.com/tx/0xc921340e31e72806f4bd0ba8ed35189229da002331bdefe370bbc07d8228fc4c
- https://polygonscan.com/tx/0x6e904564f29e312e2a5fc225ab754f6e8942501039187398c30aaa0656512941
- These withdrawals ended up triggering a $447,000 liquidation, which resulted in an additional $49,000 in losses. The total amount of losses suffered by this user was $314,000 ($265,000 + $49,000).
- The second user approved the malicious script, but later successfully revoked his approval before losing any funds.
Kyber team reimbursed a total of $314,000 to the first user and helped the second user ensure that he successfully revoked his approval of the malicious script.
Wallets with larger holdings targeted
- Hacker targeted wallets which held above 1M worth of USD on August 06, 2022.
- Hacker adjusted the target to wallets having above 100k worth of USD on September 01, 2022.
Actions Taken and Next Steps by KyberSwap
We have since removed all malicious javascripts and routes by the attacker from the UI and confirmed that the administrator privileges from the compromised Cloudflare account and all other ex-employee accounts have been revoked. The kyberswap.com website is now working as per normal, with heightened 24/7 monitoring by our engineering team.
In addition, we have implemented anti-phishing 2FA for all SRE employees, as well as set up proper exit procedures to revoke admin access from employee accounts and conduct a vulnerability check if they leave the team.
As promised earlier, we have also shared all the details of this security incident in this report.
Next Steps
| Item | Timeline |
| More audits of both Web2 and Web3 infrastructure | Completed |
| Develop a bug bounty program to be displayed on KyberSwap.com and explore working with 3rd-party platforms like Immunefi. | Q1 2023 |
| Set up a KyberSwap status page that shows important live information about the UI | Q1 2023 |
| Increase education for all current and future Kyber team members about the various attack vectors related to phishing and man-in-the-middle attacks | Q1 2023 |
| Confirm an insurance provider that provides both smart contract + frontend coverage | Q1 2023 |
Other Questions
Why was this vulnerability not discovered earlier?
We were unaware that the Cloudflare account of an ex-Kyber employee (who had admin privileges) was the victim of a phishing attack and was compromised, resulting in the Cloudflare Global API key being compromised as well.
Can this specific exploit happen on KyberSwap again?
No, because we have worked dedicatedly with Google security experts to review our Google Cloud infrastructure, accounts, roles and permissions, firewall rules, security and network monitoring system. We have also equipped hardware tokens for our SRE team, the only team that has access to our production system.
What can be learnt from this exploit?
Comprehensive audits and security at the smart contract and protocol level are not sufficient, as UI/frontend exploits can be equally dangerous to users. KyberSwap needs to shore up our frontend security and educate the entire team about phishing attacks, especially when using 3rd-party services such as Cloudflare. KyberSwap’s frontend security competency in this case was not optimal and we promise to work harder to raise our competency level and improve our overall security framework moving forward.
In addition, we would like to highlight that Cloudflare allows the unauthorised creation or access of a Global API key by default which can’t be deleted or deactivated. Cloudflare’s customer support during our critical hack-discovery period was also far from ideal, with bugs in their audit logs. This severely increases the risk involved when depending on a 3rd-party service like Cloudflare.
Conclusion
We hope that this report helps the community clarify any doubts and questions regarding the KyberSwap UI exploit, while providing valuable information for other DeFi projects to safeguard against similar attacks. For any project that is facing a similar attack or would like to find out more about how to safeguard against it, please feel free to reach out to us.
We sincerely apologise for this lapse in security on KyberSwap and we appreciate your kind understanding for the website downtime experienced in September. We remain steadfast in our commitment towards providing the utmost security for our users at all levels, including smart contracts, backend, and frontend. Let’s work together to make DeFi safer for everyone!
