Post Mortem: Past KyberSwap Frontend Exploit (Sept 2022)

At KyberSwap, we have always been committed towards user security, with heavy investments in monitoring tools and multiple smart contract audits conducted by ChainSecurity and Hacken. It is therefore regrettable that there was a recent attack on the kyberswap.com user interface which bypassed our security oversight. At the time of attack, we worked with cybersecurity firm Calif to investigate the situation and determine root cause of the attack.

As transparency is one of our guiding principles, we want to openly share the findings from this attack with the DeFi community so that we can learn and protect against security threats together.

Before we delve into the details, it is important to note that:

  • This attack was a Cloudflare and frontend exploit; isolated to the Cloudflare API Key and KyberSwap.com UI
  • KyberSwap smart contracts were never at risk or exploited; DEX aggregator and Elastic and Classic liquidity protocols operated as intended
  • Due to immediate emergency action taken, only 2 users were affected, with one user not losing any funds at all and the other fully reimbursed by the Kyber team
  • Kyber team and DAO treasury funds were unaffected
  • All malicious routes, scripts, and known attack vectors have been eradicated. kyberswap.com is currently working as intended

Summary of Exploit

KyberSwap is a decentralized exchange and liquidity platform from Kyber Network. It uses MetaMask and other blockchain wallets to help the user sign transactions to trade tokens or add liquidity. In order to use those features, users have to interact with the kyberswap.com UI/website to sign a few prerequisite transactions, including transactions that give smart contract allowance to transfer tokens out of their address. Users are supposed to give allowance only to KyberSwap’s official contract addresses.

Around 8AM UTC, September 01, 2022, our Operations Manager noticed that the kyberswap.com UI displayed an abnormal “Increase Allowance” message, instructing users via Metamask to give allowance of their assets to a suspicious address INSTEAD of our official contract address. He immediately raised this issue to our Engineering team, who confirmed within minutes that the website was exploited.

To protect users, we immediately blocked the kyberswap.com website from internet access (only allowing VPN access for the team to investigate). We also informed all our DeFi partners that had ongoing campaigns with us about this issue.

After a thorough investigation alongside external security experts, our team alongside Calif security experts identified the root cause and that Cloudflare Workers was our Achilles’ heel, mainly due to a compromised Cloudflare account of an ex-KyberSwap SRE (Site reliability engineering) employee.

Cloudflare Workers provides an interface to inject and run javascripts directly to the response of web traffic as it flows through Cloudflare proxies. The attacker had deployed a malicious javascript using a compromised Cloudflare API key that was exploited and rotated in October 2021. The hacker then used this API key to periodically inject the script via Cloudflare Workers to our kyberswap.com UI, targeting a subset of wallets – those with large holdings.

Timeline of Events

TimelineDescription
Feb 20, 2016A domain used by hacker has been registered – coinfi.com
Jan 17, 2019Devops mailbox (used by the ex-SRE) has been created
May 03, 2021Devops account (associated with the above mailbox) logged in Cloudflare for the first time.
Sep 23, 2021A domain used to hack has been registered – cioudflare.net
Oct 28, 2021Devops account has been added into “KyberNetwork Cloudflare” with “ADMIN” role by our root account.
Oct 28, 2021A phishing email was sent to Devops mailbox with URL: https://cloudflare-ipfs.com/ipfs/QmYDFtcQy3gfuLYBkckRzkb3Bk5gVkngkgExThe2PyPZc6/?oobCode=dashboard This URL redirect to: https://dash.cloudflare.net/redirect-login?r=242787&uid=ZGV2b3BzQGt5YmVyLm5ldHdvcms%3D&redirect=https%3A%2F%2Fcloudflare-ipfs.com%2Fipfs%2FQmYDFtcQy3gfuLYBkckRzkb3Bk5gVkngkgExThe2PyPZc6%2F
Oct 29, 2021The ex-SRE got phished. the hacker logged into Cloudflare. Afterward, the hacker immediately rotated and viewed Global API Key.
Mar 30, 2022Hacker executed “purge_everything” action with kyberswap.com zone on Cloudflare.
Apr 10, 2022The ex SRE left the company.
Apr 11, 2022We kept the devops account in CloudFlare and rotated its password.
May 26, 2022A domain used to hack has been registered – logging24.com
May 28, 2022Hacker uploaded source code to his server: https://logging24.com/log.php and https://logging24.com/lib.php
May 24 – Aug 05, 2022Hacker kept executing “purge_everything” action with kyberswap.com zone on Cloudflare
Aug 06, 2022Hacker uploaded the malicious javascript to kyberswap.com and made some changes with his PHP code on his server.
10:56 Aug 08, 2022Hacker created a route to apply his script to kyberswap.com on Cloudflare.
11:03 Aug 08, 2022Hacker deleted all routes and scripts on Cloudflare.
Aug 11 – Aug 22, 2022Hacker kept testing his scripts with kyberswap.com
08:13 Sep 01, 2022Hacker uploaded his scripts to Cloudflare
08:13 Sep 01, 2022Hacker created routes to apply his scripts to kyberswap.com
08:22 Sep 01, 2022Our Operation Manager noticed that kyberswap.com requiring some strange “Increase Allowance” popup.
08:37 Sep 01, 2022A wallet got phished on Polygon chain.
08:43 Sep 01, 2022Another wallet got phished on Polygon chain.
08:45 Sep 01, 2022Our SRE disabled public access to kyberswap.com
09:19 Sep 01, 2022Hacker deleted all scripts and routes from Cloudflare.
12:05 – 15:55 Sep 01, 2022Hacker tried to withdraw aUSDC from a victim wallet.
19:28 Sep 01, 2022KyberNetwork announced the incident on Twitter.
Sep 02 – Sep 03, 2022Hacker tried to withdraw WBTC from victim wallet.
Sep 03, 2022Hacker tried to enable his scripts again.
Sep 03, 2022Our SRE disabled public access to kyberswap.com
Sep 04, 2022From Cloudflare Audit Log, SRE noticed hacker did use Cloudflare worker to attack kyberswap.com
Sep 04, 2022The compromised API Key was rotated
Sep 04, 2022Our SRE removed all routes and scripts of hacker from KyberSwap zone.
Sep 09, 2022We found BadgerDAO postmortem, the attack method is similar.
Sep 09, 2022The phishing email was found in devops mailbox.

Root cause

A phishing email was sent to our ex-SRE mailbox on October 28, 2021. His Cloudflare account had administrator privilege but anti-phishing 2FA was not enabled. The hacker got access to Cloudflare and compromised the Global API key.

Via the compromised API key, the hacker periodically deployed malicious javascript to Cloudflare Workers on August 06, 2022. His javascript targeted only wealthy wallets, not every user.

Financial damage

There were two users who were affected by the hack:


Kyber team reimbursed a total of $314,000 to the first user and helped the second user ensure that he successfully revoked his approval of the malicious script.

Wallets with larger holdings targeted

  • Hacker targeted wallets which held above 1M worth of USD on August 06, 2022.
  • Hacker adjusted the target to wallets having above 100k worth of USD on September 01, 2022.

Actions Taken and Next Steps by KyberSwap

We have since removed all malicious javascripts and routes by the attacker from the UI and confirmed that the administrator privileges from the compromised Cloudflare account and all other ex-employee accounts have been revoked. The kyberswap.com website is now working as per normal, with heightened 24/7 monitoring by our engineering team.

In addition, we have implemented anti-phishing 2FA for all SRE employees, as well as set up proper exit procedures to revoke admin access from employee accounts and conduct a vulnerability check if they leave the team.

As promised earlier, we have also shared all the details of this security incident in this report.

Next Steps

ItemTimeline
More audits of both Web2 and Web3 infrastructureCompleted
Develop a bug bounty program to be displayed on KyberSwap.com and explore working with 3rd-party platforms like Immunefi.Q1 2023
Set up a KyberSwap status page that shows important live information about the UIQ1 2023
Increase education for all current and future Kyber team members about the various attack vectors related to phishing and man-in-the-middle attacksQ1 2023
Confirm an insurance provider that provides both smart contract + frontend coverageQ1 2023

Other Questions

Why was this vulnerability not discovered earlier?

We were unaware that the Cloudflare account of an ex-Kyber employee (who had admin privileges) was the victim of a phishing attack and was compromised, resulting in the Cloudflare Global API key being compromised as well.

Can this specific exploit happen on KyberSwap again?

No, because we have worked dedicatedly with Google security experts to review our Google Cloud infrastructure, accounts, roles and permissions, firewall rules, security and network monitoring system. We have also equipped hardware tokens for our SRE team, the only team that has access to our production system.

What can be learnt from this exploit?

Comprehensive audits and security at the smart contract and protocol level are not sufficient, as UI/frontend exploits can be equally dangerous to users. KyberSwap needs to shore up our frontend security and educate the entire team about phishing attacks, especially when using 3rd-party services such as Cloudflare. KyberSwap’s frontend security competency in this case was not optimal and we promise to work harder to raise our competency level and improve our overall security framework moving forward.

In addition, we would like to highlight that Cloudflare allows the unauthorised creation or access of a Global API key by default which can’t be deleted or deactivated. Cloudflare’s customer support during our critical hack-discovery period was also far from ideal, with bugs in their audit logs. This severely increases the risk involved when depending on a 3rd-party service like Cloudflare.

Conclusion

We hope that this report helps the community clarify any doubts and questions regarding the KyberSwap UI exploit, while providing valuable information for other DeFi projects to safeguard against similar attacks. For any project that is facing a similar attack or would like to find out more about how to safeguard against it, please feel free to reach out to us.

We sincerely apologise for this lapse in security on KyberSwap and we appreciate your kind understanding for the website downtime experienced in September. We remain steadfast in our commitment towards providing the utmost security for our users at all levels, including smart contracts, backend, and frontend. Let’s work together to make DeFi safer for everyone!

. . .

About Kyber Network

Kyber Network is building a world where any token is usable anywhere. KyberSwap.com, our flagship Decentralized Exchange (DEX) aggregator, provides superior rates for traders in DeFi across 17 chains.

KyberSwap powers 200+ integrated projects and has facilitated over US$20 billion worth of transactions for thousands of users across 17 chains since its inception. Full list of supported exchanges and networks available here.

Join our community:

KyberSwap | Twitter | Telegram | Discord | Facebook | Forum | GitHub | Docs | Kyber Network

Home > Kyber Content Hub > Post Mortem: Past KyberSwap Frontend Exploit (Sept 2022)

Scroll to Top