Buy Crypto
Pay with

Web2 Vulnerabilities: An Overlooked Danger For Web3 Projects


Main Takeaways

  • DeFi projects are getting hacked via Web2 exploits.

  • In two recent cases, tag management and domain name systems were used to compromise DeFi projects’ security.

  • Web3 teams can safeguard the wider ecosystem by paying attention to Web2 security requirements.

Over the last few months we’ve seen a number of Web3 projects targeted by hackers using Web2 exploits to steal hundreds of thousands of dollars in user funds. There are lessons for other projects to be learned here. It’s worth taking a moment to reflect on these Web2 vulnerabilities so we can work together to safeguard the Web3 ecosystem.

Blockchain technology has revolutionized finance. Users have been able to directly manage their own money and investments thanks to self-custody, smart contracts and Web3 products. But within this changing landscape there needs to be a balance between decentralization and security. The latter is particularly important when regular people’s funds are involved. Given the decentralized nature of Web3, the focus is often on ensuring that the blockchain protocols and smart contracts at the heart of different products and platforms are robust, secure, and free from exploits. 

However, many Web3 projects still lean on Web2 frameworks and technology to run additional functionalities on top of their core blockchain protocols. And so hackers are starting to use Web2 vulnerabilities as attack vectors when looking to steal project and user funds. One example is exploiting front-end code or systems rather than attacking the smart contracts themselves.

What are these Web2 exploits? How do they work? And what can be done about them? We’ll answer those questions in this article by looking at two major DeFi projects that have fallen to Web2 exploits in recent months — KyberSwap and Curve Finance — and draw some conclusions from these examples to help the wider community keep safe.

KyberSwap loses $265,000 (USD) to Google Tag Manager exploit

Decentralized exchange KyberSwap suffered a front-end exploit on September 1, 2022. The attack led to $265,000 being lost. So what happened? In short, hackers inserted malicious code in KyberSwap’s Google Tag Manager (GTM), which allowed them to transfer user funds to their own addresses. 

Google Tag Manager (GTM) — a Web2 vulnerability 

This is a Web2 exploit because GTM has nothing to do with KyberSwap’s smart contracts or blockchain protocol functionality. Rather, GTM is a tag management system that helps with adding and updating digital marketing tags for things like conversion tracking and site analytics. The hackers were able to gain access to KyberSwap’s GTM account through phishing, which then allowed them to insert the malicious code. This gave the criminals access to user funds due to KyberSwap’s compromised front end, and the eventual loss of $265,000. 

The script specifically targeted whale wallets. Kyber Network, the liquidity hub behind KyberSwap, managed to disable the GTM and eliminate the bad script, thereby stopping any further criminal activity. As a side note: KyberSwap announced that all losses would be compensated. But if more attention had been paid to Web2 security, this front-end attack could have been prevented altogether.

Curve Finance loses $570,000 (USD) to DNS exploit

KyberSwap is not the only DeFi project to have suffered a front-end exploit recently. On August 9, 2022, a group of attackers exploited a vulnerability in the decentralized exchange Curve Finance, stealing $570,000 in Ethereum (ETH) from user wallets. This time the front-end attack was due to DNS cache poisoning — a vulnerability that enabled hackers to redirect users trying to reach Curve Finance’s domain. Users were instead taken to a fake copycat site.

DNS cache poisoning — a Web2 vulnerability 

DNS is short for domain name system. It is one of the fundamental tools allowing people to browse the internet effortlessly. Whenever someone types in a domain name, their device sends a query to a DNS server asking for the associated IP address. 

Typically, this query will go through multiple DNS servers until it finds the corresponding address. Think of the internet as a massive, intricate highway system, with each road leading to a different website. On these roads, DNS servers function as traffic officers that guide cars in the right direction.

In the case of Curve Finance, hackers created a 1:1 copy of Curve’s real DNS server and redirected users to a rogue website that looked exactly like the project’s. This allowed the criminals to implant a malicious contract in the Curve “home page”. When users approved the usage of the contract on their wallets, their funds were drained, to a total of $570,000.

How can projects protect their users? Lessons to be learned

The biggest lesson to learn here is that it doesn’t matter how strong your smart contracts are if a project doesn’t take Web2 security just as seriously. Teams need to think about the gaps that may exist between the Web2 and Web3 spaces, and take greater responsibility for overall project security. 

What we can learn from the GTM exploit 

In the case of KyberSwap and the GTM exploit, for example, teams need to remember to use two-factor authentication (2FA) to protect ancillary tools such as their GTM accounts. Projects should also only allow as few people as necessary to access accounts that can deploy code of their choice on their website. Given how dangerous it is to have that ability, there needs to be a proper system of access control. At Binance, for example, we separate access into three different roles: tag developer, security checker, and publisher. None of them can add new website code alone — all three are needed to complete the process.

What we can learn from the DNS exploit 

Avoiding a compromised DNS server will always be more straightforward than cleaning up the damage afterward. Here’s what regular users can do to safeguard their funds:

  • Don’t click on suspicious links.

  • Clear your DNS cache periodically.

  • Regularly scan for harmful programs on your device.

There are limits, however, to what everyday folks can do to protect themselves in this situation. Compromised DNS servers will often redirect users to an identical home page that is near-impossible to discern from the page they intended to view.  

The onus of responsibility lies on the crypto companies. Projects should ensure they use a secure and reputable domain management vendor. In the case of the Curve Finance hack, Binance CEO CZ noted on Twitter that they used “a DNS which is insecure. No Web3 projects should do that. Very susceptible to social engineering.”

Teams shouldn’t try to cut costs with a low-end DNS provider. A reliable vendor should support custom protocols that prevent hackers from altering domain name settings. 

Web3 offers a huge amount of opportunity, but we shouldn’t ignore security threats that have been there since the previous era of the internet. Let’s be vigilant and safeguard our ecosystem together on all fronts.