According to the announcement, Kyber Network noticed a suspicious element on their front end and has shut down frontend operations to conduct an investigation.
They were also able to compile a list of suspicious wallet addresses being active during the time of the exploit.
1/ ❗️Notice of Exploit of KyberSwap Frontend:
— Kyber Network (@KyberNetwork) September 1, 2022
We identified and neutralized an exploit on the KyberSwap frontend. Affected users will be compensated. We have summarized the details in this thread⬇️
At the time of writing, $265,000 worth of assets were lost, with two addresses affected. It seems that the hackers were targeting ‘whale’ addresses.
The team promised to reimburse the amount of assets lost. And while Kyber Network says the threat was neutralized, it cautioned against any suspicious activity with the users’ wallets, at the same time urging all DeFi projects to check their frontends and associated Google Tag Manager (GTM) scripts.
According to a statement from Kyber, “On 1 Sep, 3.24PM GMT+7, we identified a suspicious element on our frontend. Shutting down our front end to conduct investigations, we identified a malicious code in our Google Tag Manager (GTM)which inserted a false approval, allowing a hacker to transfer a user’s funds to his address. At 4pm GMT+7 we announced to our community that we had disabled the UI, during which we investigated the cause of the frontend exploit. A malicious code in our GTM was identified upon which we disabled GTM.
“Conducting further checks, we found that after disabling GTM, the bad script was eliminated with no further suspicious activity. The script had been discreetly injected and specifically targeting whale wallets with large amounts.
We restored the UI, with the steps after to identify all of the attackers’ addresses, and identify the extent of the damage, and which addresses were affected. We announced the UI going live again at 5.46pm GMT+7.”
