Cyber Incident Victim: KLAYswap
Date:
Feb 2022
Location:
South Korea
Summary
A decentralized finance platform suffered a front-end compromise when attackers hijacked a third-party SDK script (Kakao SDK) used in its interface, redirecting user requests to malicious servers. This injected code altered transaction approvals and transfers to attacker-controlled addresses, impacting approximately 325 wallets and enabling unauthorized asset transfers valued at roughly 22 billion KRW. The platform responded by suspending services, removing the compromised SDK, and implementing a tool for users to revoke malicious approvals. Users were advised to clear browser caches and migrate assets to new wallets. The incident stemmed from external infrastructure manipulation, not vulnerabilities in the platform’s core smart contracts or codebase.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 3, 2022, at approximately 11:31:41 UTC+9, KLAYswap experienced a security incident originating from a compromised third-party dependency. Attackers exploited a vulnerability in the network routing infrastructure to hijack requests for the Kakao SDK JavaScript file (https://developers.kakao.com/sdk/js/kakao.min.js), redirecting users to malicious servers instead of legitimate Kakao infrastructure. This manipulation caused browsers to download altered SDK code that modified transaction behavior on KLAYswap's frontend. The malicious payload targeted outdated KLAYswap code from early January, overriding normal transaction functions to redirect user token transfers (Transfer) and approvals (Approve) to attacker-controlled contracts at addresses 0x3f315f2bfa8452febbc08a9e3a7fdf8872f9527c and 0xdfcb0861d3cb75bb09975dce98c4e152823c1a0b. The attack persisted until KLAYswap's security team identified the compromise, at which point they immediately disabled all platform functionality and initiated emergency maintenance.
The incident impacted 325 wallets, generating 407 anomalous transactions that resulted in approximately 2.2 billion KRW (∼$1.8 million) in losses. KLAYswap's containment strategy involved suspending Orbit Bridge's Klaytn minting operations to prevent asset exfiltration to exchanges, removing all Kakao SDK integrations from their frontend, and developing a dedicated token approval revocation tool. Affected users were instructed to clear browser caches to eliminate residual malicious code and revoke approvals through a new interface that listed compromised assets across Token, LP Token, and Single Deposit categories. While confirming no vulnerabilities existed in KLAYswap's core smart contracts or frontend code, the team collaborated with security auditors and partners to analyze the routing attack vector. Ozys, KLAYswap's developer, committed to compensating verified losses after finalizing damage assessments, advising users to transfer assets to new wallets post-revocation as an additional precaution.