Following the recent $87 million exploit on Justin Sun’s cryptocurrency exchange HTX and Heco Chain, another Web3 project, Kyber Network, announced a cybersecurity incident.
"Dear KyberSwap Elastic Users, we regret to inform you that KyberSwap Elastic has experienced a security incident," the team posted today on X, recommending "all users to promptly withdraw their funds."
Read also: ChatGPT Accuracy in Smart Contract Vulnerability Detection Exceeds 75%
As reported by the on-chain security firm CertiK, Kyber Network's estimated total damage amounts to nearly $45 million. This surpasses the combined losses from hacks and scams across the crypto community that took place over the past week.
The hacker behind Kyber Network's breach appears open to discussing the incident with the project's team.
"Dear Kyberswap Developers, Employees, DAO members, and LPs, negotiations will start in a few hours when I am fully rested. Thank you," an on-chain message left by the attacker yesterday at 11:57:11 PM (+UTC) reads.
Read also: Weekly Damage from Web3 Exploits Surpasses $35 Million
CertiK emphasizes that "The hackers left many detailed logs in their attack contracts."
A security researcher known on X as Weiss.eth commented on the incident, raising questions about the security measures in place and the effectiveness of bug bounty programs in preventing such incidents.
According to Weiss.eth, the security pipeline at Kyber Network is relatively strong, including three audits and a history of organizing bug bounty programs, with rewards totaling over $1 million.
However, Kyber Network’s recent bug bounty program on Immunefi, the leading platform for incentivizing white hats specializing in the cybersecurity of Web3 projects, was only $200,000. This amount represents only around 0.2% of Kyber Network’s total value locked (TVL), as estimated by Weiss.eth.
The cybersecurity expert suggests that disproportionately small rewards, combined with a willingness of the teams behind compromised projects to negotiate the amount of loot with hackers, subsequently allowing them to walk away with 10-20% of the overall stolen funds without legal responsibility, motivates malicious actors to carry out attacks instead of sharing their knowledge on a project’s vulnerabilities with its developers.
"If every protocol had at least a 5%-8% bounty of its overall TVL, this would not happen," Weiss.eth believes, adding that "Bounties with your own token vested do not have the best reaction from white hats either. Most of them look at non-vested stables or ETH."
While this approach seems logical, some influential members of the crypto community express concerns about the actual costs of such bounties.
"The problem is that it skyrockets very fast. 5% of 1 billion is already $50 million," explains Merlin Egalite, co-founder of MorphoLabs. He adds that only few projects can afford to pay such sums of money unless they can secure it from the DAO treasury.
Given that scammers often exploit financial losses experienced by users of compromised Web3 products by impersonating project teams and providing links to fake reimbursement websites, Kyber Network advises the community to refrain from "clicking on any phishing links or responding to DMs." According to the Kyber Network team, the only legitimate sources of official news are the project’s official X account and website.