KickEX Exchange Incident Investigation
The exchange is operating normally. Orders and transactions that were carried out by the attackers at artificially high rates were canceled. Deposits, withdrawals, and orders function normally. The accounts of those who intentionally participated in the exploitation of the vulnerability are blocked
There recently occurred an incident with an attempt to exploit a vulnerability in the margin trading algorithm on KickEX exchange. There was a small piece of code that was released into the product servers prematurely. We want to be as transparent with you as possible, so we are going to tell you exactly what happened on the night of Thursday to Friday.
After conducting an internal investigation, we found out that there was no actual hack However, the attackers have found a part of the code that was under the development of the margin trading functionality and was not supposed to be on the “live” server, nevertheless, it got there. Users who gained access to this functionality were able to make transactions without spending their own funds, taking a non-existent loan from the exchange, without the intention to repay it in the future. We found out that these users discovered the vulnerability on June 24th and have been preparing the attack for two days, deliberately choosing a time when our developers were not able to react immediately. As a result of their actions, some unsecured orders began to appear at significantly high rates, which were executed in favor of attackers by random participants in exchange trading. All resulted in a snowball effect, and the KICK rate in relation to BTC increased thousands of times for some time.
What will happen to users of the exchange?
Attackers. Now all transactions made exploiting the vulnerability have been canceled. Unscrupulous users who have made those transactions without spending their funds managed to withdraw a small amount — the sum is that reward for finding vulnerabilities in our security bug bounty. However, this amount will be withdrawn from them, since we know all our users. We will notify the relevant authorities of their countries of residence about the criminal actions of the attackers.
Affected. Those who traded at the correct rates will not notice anything. Exchange accounts of those who involuntarily became participants of the incident and used incorrect rates —
ended up with a negative balance. These users are temporarily unable to withdraw any funds until their margin debt is paid off. Kick Ecosystem will cover this debt. We have already identified those who intentionally used the vulnerability and those who did not have a goal of dishonest enriching. Some of these accounts have been unblocked already. The rest unlocked within 24 hours once the debt is covered.
Strengthening security. Now the problem is resolved, and such situations will not arise in the future. The process of updating the code has been already very strict and everything has been carefully checked before, nevertheless, the code updates have been tightened even more and put under special control. Besides, we added another layer of security that controls all withdrawals from the exchange wallets, and this functionality has already been transferred to our financial monitoring service. On another side of this extra control for the safety of funds — such operations might take a little longer to complete. Now, the withdrawal of amounts more than $500 will take some time, which is necessary for financial monitoring to verify the transaction and the user. During the attack, cold wallets were not affected and the financial security system worked out as it is required, there is nothing to worry about.
Interesting details of what happened
As we mentioned earlier, access to the functionality under development was obtained by the attackers a few days ago. After that, they have prepared to attack the exchange. These are three people, one of them is a citizen of an African country, the second one is from Vietnam, and the third one is from Russia. We know these people and we are preparing legal statements to the authorities of their countries regarding their illegal actions. We will forward the details of the investigation to the financial crime authorities in these countries and the international financial crime control services. They will be marked as scammers in all services that verify users, so they will no longer be able to pass verification on other exchanges, banks, or payment systems. That will protect other users and other projects from similar incidents. It is amazing how in the era of globalization and digital economy, a crime committed in one country can lead to a complete blockage of financial activity around the world, which increases the security of all decent users.
We apologize for this incident. User security is a vital concern for us, and that is why the KickEX exchange and none of the users ’funds have been damaged.
Kick Ecosystem team