Sophisticated Domain Registry Attack Targets Multiple DeFi Applications- Blockaid
On July 11, a sophisticated domain registry attack compromised multiple decentralized finance (DeFi) applications, redirecting users to malicious websites. Several protocols have issued warnings to their users regarding the attack.
Blockchain security platform Blockaid identified that the attacker exploited domain names provided by Squarespace, a popular website-building service. This breach affected prominent DeFi protocols, including Compound Finance, and potentially endangered many other applications within the ecosystem.
The attackers manipulated the domain name system (DNS) entries, effectively intercepting users attempting to access legitimate DeFi platforms and directing them to phishing sites designed to steal sensitive information and funds.
Initial Discovery and Scope of the Domain Registry Attack on Multiple DeFi Protocols
The attack was first detected when users attempting to access Compound Finance’s interface at compound.finance were redirected to a malicious website. This fraudulent site contained a drainer app designed to steal users’ tokens.
Concurrently, Celer Network’s domain was also targeted, but its monitoring systems successfully intercepted the takeover attempt before it could succeed.
At 1:38 p.m. UTC, Celer Network alerted the crypto community about the DNS attack.
By 3:38 p.m. UTC, Blockaid confirmed that multiple DeFi front ends were at risk of hijacking, attributing the attacks to compromised DNS records on Squarespace-hosted projects.
This incident sparks up discussion on the vulnerabilities of DeFi applications that rely on Web2 infrastructure.
Security experts have since identified the attack vector as likely originating from Google domain accounts used by these protocols.
Squarespace acquired Google Domains in a $180 million deal, so all associated websites are now under scrutiny.
Subsequently, 0xngmi, the developer behind DefiLlama, published a list of over 100 potentially affected DeFi protocols , including notable names like Pendle Finance, Axelar, Vertex Protocol, PolyMarket, Karak Network, Hyper Liquid, Thorchain, Hop, dYdX, Polymarket, Satoshi Protocol, Nirvana, and LooksRare.
Apart from Compound and Celer that have been hacked, other related protocols now face heightened scrutiny as users and developers seek to secure their platforms.
Responding to 0xngmi list, Pendle Finance confirmed the breach and also recently confirmed that it took down its page. The yield protocol warned its users from using the app and assured their their funds are safe.
Affected Defi Protocols Confirm Attack, No Funds Stolen.
Domain name hijacking is one of several attack vectors threatening the Web3 industry.
Notably, Compound Finance and Celer Network have both issued statements acknowledging the DNS attack.
Compound Finance confirmed that their domain had been compromised, redirecting users to a malicious site.
Celer Network, however, managed to detect and intercept the attack before any harm could be done.
Despite these proactive measures, both platforms continue to investigate the full extent of the attack.
Also, MetaMask, a leading Web3 wallet provider, responded by implementing warnings for users attempting to transact on compromised sites.
This proactive measure aims to mitigate the risk of token theft by alerting users to potential dangers.
Furthermore, users are urged to avoid interacting with these and other DeFi dapps hosted on Squarespace domains until further notice to prevent potential token theft.
As the investigation continues, neither Celer Network nor Compound Finance have confirmed full threat mitigation.
While no funds have been reported stolen thus far, users are advised to exercise caution and avoid interacting with DeFi dapps until further notice.
The current attack on DeFi apps via DNS vulnerabilities reveals the critical need for robust security measures in the Web3 space.
Initiatives like the SEAL 911 Telegram bot and security councils comprising industry leaders, including Coinbase, are suggested as steps toward building a more secure crypto ecosystem.
In December, an attacker compromised the Ledger Connect library by injecting malicious code , affecting nearly the entire Ethereum Virtual Machine ecosystem.
Similar incidents, such as the front-end attack on Balance and the $70 million exploit involving Curve Finance, illustrate these threats’ persistent and evolving nature.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Vitalik Buterin urges Web3 wallets to improve security, privacy
Fan tokens offer stability — NFTs have not
Safe’s Safenet wants to bring Visa-like payments network to crypto