DeFi
DeFi under attack: sophisticated domain hijacking revealed
Targeting various distributed finance (DeFi) applications, a highly sophisticated domain registry hack on July 11 resulted in illegal user redirects to dangerous websites.
Affecting major DeFi protocols such as Compound Finance and posing a threat to many others within the ecosystem, the hack primarily uses domain names hosted by Squarespace, a widely used website building platform.
DNS entries modified by attackers
Attackers modified DNS entries, redirecting clients seeking to access authorized DeFi systems to phishing websites intended to collect private information and assets instead of the other way around.
Users attempting to use the Compound Finance interface on compound.finance were redirected to a fake website loaded with a token draining program, which exposed the first issue.
I’ve compiled a (partial) list of domains connected to Square Space that are at risk of being hacked right now, I’d avoid them for nowhttps://t.co/Cih5YTgFL9
— 0xngmi (@0xngmi) July 11, 2024
Celer Network’s domain was similarly attacked in a comparable event; but its monitoring systems managed to stop the attack before any damage could result.
Celer Network reported the DNS attack at 13:38 UTC; Blockaid, a blockchain security platform, had verified that the modified DNS records were affecting many DeFi frontends hosted on Squarespace by 15:38 UTC.
These events have sparked much debate about the security flaws of DeFi applications that rely on conventional Web2 architecture. Security experts believe that the attack started from the Google domain accounts used by these DeFi platforms.
All linked sites are now under increased scrutiny following Squarespace’s $180 million purchase of Google Domains.
List of potentially impacted protocols
Subsequently, 0xngmi, the creator of DefiLlama, compiled over 100 potentially impacted DeFi protocols. Notable names on this list include Pendle Finance, Axelar, Vertex Protocol, PolyMarket, Karak Network, Hyper Liquid, Thorchain, Hop, dYdX, Polymarket, Satoshi Protocol, Nirvana, and LooksRare.
Pendle Finance advised users not to use the app as it was proven to be in breach and its page was briefly suspended to prevent further use. Its money remained safe.
While Celer managed to identify and stop the attack beforehand, Compound confirmed that its domain had been hacked, resulting in a redirect to a fraudulent site.
Both Compound Finance and Celer have acknowledged the DNS hack. Despite these measures, both companies continue to assess the extent of the hack.
Metamask Alert
In response, popular Web3 wallet provider MetaMask has implemented alerts for consumers who transact on hacked websites. The tool aims to raise awareness of potential threats, thereby reducing their risk of token theft.
Additionally, the community is advised to avoid any interaction with DeFi applications hosted on Squarespace domains until the threat is fully mitigated to stop asset theft.
Ongoing threats and necessary precautions
Neither Celer Network nor Compound Finance have acknowledged, as the situation has evolved, that the threat has been completely eliminated. While no theft of funds has yet been recorded, greater awareness remains important.
Highlighting the crucial need for strong security mechanismsThis current episode is part of a trend of increasing risks in the Web3 domain.
Previous events, such as the $70 million hack of Curve Finance and the injection of malicious code into the Ledger Connect library in December, which impacted virtually the entire Ethereum virtual machine ecosystem, demonstrate the ongoing and evolving nature of these threats.
Possible ways to strengthen the crypto ecosystem against such vulnerabilities include initiatives like the SEAL 911 Telegram bot and security councils with industry players like Coinbase.