Dear KLAYswap community members
Ozys, the entity who is in charge of developing KLAYswap, values product security as the utmost priority along with securing faith from users. Since KLAYswap is a representative decentralized financial protocol in Klaytn ecosystem, we have been devoting all our efforts and resources for the purpose of strengthening security through regular audits and protection measures
However, today, a malicious external attack has occurred due to the infection of SDK files from external sites, this did not originate from KLAYswap’s own front-end source code and smart contract security issues. We sincerely apologize for the trouble, and ask for a deep understanding from KLAYswap users.
This posting includes the following. Detailed explanations and guidelines regarding the cause of the incident, measures for swift normalization of KLAYswap services, follow-up guidelines for users who are directly related with the accident, and the compensation plan that the KLAYswap team is currently considering.
In addition, in the hopes of preventing any further cases similar to this unfortunate incident from happening again in the Klaytn ecosystem, characteristics and detailed methods of today’s external attack will be shared with the community.
1. Details of the accident
From 82005544 block at 11:31:41 on February 3, 2022 (UTC+9), an initial suspicious transaction was executed in which tokens were sent to a specific wallet when executing token-related functions.
This was due to user’s normal Kakao SDK Javascript file request ( https://developers.kakao.com/sdk/js/kakao.min.js ) being connected to a third party server built by an attacker, who was not a Kakao server, which led to an incident where malicious code files were downloaded.
(Before revision)
Based on the old version of the KLAYswap code(around January 4th), the attacker changed all transaction requests from users directly to their contracts, and changed the Kakao SDK script loaded on the KLAYswap site and created malicious code in the purpose of disrupting the operation of the existing KLAYswap code.
(After revision)
Based on the old version of the KLAYswap code(around January 4th), the attacker created malicious code to change all transaction requests of users in purpose of
transferring or approving users’ token to the attacker’s contract. And even if a KLAYswap user normally requests “https://developers.kakao.com/sdk/js/kakao.min.js", the function of the KLAYswap has been changed to prevent the operation of the existing clay KLAYcode and allow the attacker’s own malicious code file to be downloaded, not the normal SDK produced by Kakao.
If a transaction occurs with the contaminated logic, it was designed so that the user’s asset was either approved or sent directly to the attacker’s address(0x3f315f2bfa8452febbc08a9e3a7fdf8872f9527c, 0xdfcb0861d3cb75bb09975dce98c4e152823c1a0b).
2. Countermeasures
In order to prevent further damage from taking place, following measures were adopted. Upon identification of the incident, all functions of KLAYswap have been blocked, emergency inspections were conducted, and the operation of Klaytn minter in Orbit Bridge was restricted to prevent the transfer of stolen assets to other exchange platforms..
(Before revision)
Along with restrictions on KLAYswap and Orbit Bridge functions, the contaminated Kakao SDK file, which is analyzed to be the main cause of the incident, was removed. In addition to that, we have identified both the wallet address and asset list exposed to the smart contract used by the hacker. Furthermore, additional development has been carried out so that the asset list approved for the malicious contract can be unauthorized through the normalization of KLAYswap. In the following, we will explain methods to delete the exposed wallet lists and approved histories.
(After revision)
As a result of a thorough analysis of accidents along with restrictions on KLAYswap and Orbit bridge functions, we confirmed that malicious code files, not normal SDKs produced by Kakao, were downloaded despite of the request of Kakao SDK through an ordinary route according to the guidelines from Kakao, and we have removed Kakao SDK loading from KLAYswap.In addition, we immediately identified KLAYswap user wallet addresses and asset lists that have been approved for smart contracts used by hackers, and completed additional development to unauthorize the asset lists that have been approved for the problematic contracts through the normalization of KLAYswap. We will explain once again below how to get rid of the exposed wallet address and token approval lists.
We are currently working closely with various exchange platforms and security audit companies in order to determine the fundamental cause of this incident.
Users who accessed and continued to use KLAYswap before the time of the incident may still be exposed to the danger of exploitation of assets since unintended transactions can repeatedly occur as the malicious contract code remains. Since this issue cannot be handled by KLAYswap, the users must immediately delete the cache of their internet browser manually.
However, since it is not a defect or security issue in the KLAYswap front-end source code nor smart contracts, we would like to inform you with absolute confidence that all assets except transactions generated at that time of incident are safe.
3. Compensation plan
Ozys, a developer of KLAYswap, is an entity that strives to develop decentralized finance more than anyone else, hence we plan on making a compensation plan in order to mitigate this incident thereby minimizing the damage caused by the unfortunate incident. Currently, the estimated damage is about 2.2 billion(KRW) worth of digital assets, and we plan to accurately identify the cause of the problem and come up with a follow-up countermeasure through close consultation with related companies. We will inform you of the exact date and method of compensation through upcoming notices promptly.
It has been confirmed that 407 abnormal transactions occurred in a total of 325 wallets at the time of incident.
To prevent further unexpected incident, we strongly recommend that users who created a transaction within KLAYswap at the time of the incident to replace the wallet with a new one. Please note that you should transfer a small amount first when you change the wallet. After securing the safety of transfer, transfer the remaining amount.
4. Guides for unauthorizing token approval
In the case of a wallet that has completed token approval requested by the malicious contract, you must unauthorize the token approval transaction manually in the KLAYswap UI before using the service. You can proceed with the token approval unauthorization according to the following procedures.
1) Check the pop-up that appears after accessing the KLAYswap site, and click the [Go to the unauthorizing token approval page] button.
* If the pop-up is not displayed when accessing the site, please delete the internet cache and then access the site.
2) On the [Unauthorizing token approval] page, click the [Connect Wallet] button to complete the connection to your wallet.
3) Upon completion of wallet connection, you can confirm all the list of assets which have approved the request from the malicious contract. Afterwards, you can execute the transaction by clicking the [Unauthorizing token approval] button. In the case of multiple assets being approved, each and respective transactions in a consecutive manner are required until the number of approved asset list amounts to ‘0’
*Check Token, LP token, Single Deposit tap respectively
4) If all token unauthorizing transactions are completed [Unauthorizing token approval] button will become inactive and approved asset list will amount to ‘0’.
When you click the button you can confirm that all approvals have become unauthorized.
5) If you have completed all of the above procedures, the wallet can safely manage your assets from the malicious contract, but it is recommended to transfer your assets to a new wallet address and continue to use KLAYswap.
