Sophisticated Domain Registry Attack Targets Multiple DeFi Applications- Blockaid

On July 11, a sophisticated domain registry attack compromised multiple decentralized finance (DeFi) applications, redirecting users to malicious websites. Several protocols have issued warnings to their users regarding the attack.

Blockchain security platform Blockaid identified that the attacker exploited domain names provided by Squarespace, a popular website-building service. This breach affected prominent DeFi protocols, including Compound Finance, and potentially endangered many other applications within the ecosystem.

The attackers manipulated the domain name system (DNS) entries, effectively intercepting users attempting to access legitimate DeFi platforms and directing them to phishing sites designed to steal sensitive information and funds.

Initial Discovery and Scope of the Domain Registry Attack on Multiple DeFi Protocols

From initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace.

For instance, here’s the DNS history of compound.finanace – we can see that earlier today, the DNS was hijacked to point to a new IP address: pic.twitter.com/y7iSBw1aAJ

— Blockaid (@blockaid_) July 11, 2024

The attack was first detected when users attempting to access Compound Finance’s interface at compound.finance were redirected to a malicious website. This fraudulent site contained a drainer app designed to steal users’ tokens.

Concurrently, Celer Network’s domain was also targeted, but its monitoring systems successfully intercepted the takeover attempt before it could succeed.

At 1:38 p.m. UTC, Celer Network alerted the crypto community about the DNS attack.

✅Thanks to our 24/7 domain security monitoring, an attempted takeover of Celer domains was successfully intercepted. All DNS records have been recovered. Our ongoing investigation indicates that the attack vector likely involved third parties beyond our control.

👁️The Celer…

— CelerNetwork (@CelerNetwork) July 11, 2024

By 3:38 p.m. UTC, Blockaid confirmed that multiple DeFi front ends were at risk of hijacking, attributing the attacks to compromised DNS records on Squarespace-hosted projects.

This incident sparks up discussion on the vulnerabilities of DeFi applications that rely on Web2 infrastructure.

⚠️ Developing situation – Multiple DeFi front ends are at risk of hijacking, with a few incidents already taking place, with projects like @compoundfinance and @CelerNetwork getting hacked over the past 24 hours.

We will update this thread with details as we go. pic.twitter.com/iWQR0ByIgB

— Blockaid (@blockaid_) July 11, 2024

Security experts have since identified the attack vector as likely originating from Google domain accounts used by these protocols.

Squarespace acquired Google Domains in a $180 million deal, so all associated websites are now under scrutiny.

Subsequently, 0xngmi, the developer behind DefiLlama, published a list of over 100 potentially affected DeFi protocols, including notable names like Pendle Finance, Axelar, Vertex Protocol, PolyMarket, Karak Network, Hyper Liquid, Thorchain, Hop, dYdX, Polymarket, Satoshi Protocol, Nirvana, and LooksRare.

Apart from Compound and Celer that have been hacked, other related protocols now face heightened scrutiny as users and developers seek to secure their platforms.

compiled a (partial) list of domains connected to square space that would be at risk of being hacked rn, i'd avoid them for nowhttps://t.co/Cih5YTgFL9

— 0xngmi (@0xngmi) July 11, 2024

Responding to 0xngmi list, Pendle Finance confirmed the breach and also recently confirmed that it took down its page. The yield protocol warned its users against using the app and assured them that their funds were safe.

PSA: Due to a hijacking of the Pendle domain, we have taken down the website. Please refrain from using the app temporarily.

Rest assured, the protocol is unaffected, and your funds are safe.

— Pendle (@pendle_fi) July 11, 2024

Affected Defi Protocols Confirm Attack, No Funds Stolen.

Domain name hijacking is one of several attack vectors threatening the Web3 industry. Notably, Compound Finance and Celer Network have both issued statements acknowledging the DNS attack.

🚨 URGENT: The Compound Labs website (compound[.]finance) has been compromised.

Please do not visit the website or clink any links until further notice. An update will be provided when available.

This is our final message // end of tweet. 🚨

— Compound Labs (@compoundfinance) July 11, 2024

Compound Finance confirmed that their domain had been compromised, redirecting users to a malicious site.

Celer Network, however, managed to detect and intercept the attack before any harm could be done.

Despite these proactive measures, both platforms continue to investigate the full extent of the attack.

Also, MetaMask, a leading Web3 wallet provider, responded by implementing warnings for users attempting to transact on compromised sites.

For those of you using MetaMask, you’ll see a warning provided by @blockaid_ if you attempt to transact on any known site that’s involved in this current attack. #mmsecurity https://t.co/Fk0sAjaeit

— MetaMask 🦊🫰 (@MetaMask) July 11, 2024

This proactive measure aims to mitigate the risk of token theft by alerting users to potential dangers.

Furthermore, users are urged to avoid interacting with these and other DeFi dapps hosted on Squarespace domains until further notice to prevent potential token theft.

As the investigation continues, neither Celer Network nor Compound Finance have confirmed full threat mitigation.

While no funds have been reported stolen thus far, users are advised to exercise caution and avoid interacting with DeFi dapps until further notice.

The current attack on DeFi apps via DNS vulnerabilities reveals the critical need for robust security measures in the Web3 space.

Initiatives like the SEAL 911 Telegram bot and security councils comprising industry leaders, including Coinbase, are suggested as steps toward building a more secure crypto ecosystem.

In December, an attacker compromised the Ledger Connect library by injecting malicious code, affecting nearly the entire Ethereum Virtual Machine ecosystem.

Similar incidents, such as the front-end attack on Balance and the $70 million exploit involving Curve Finance, illustrate these threats’ persistent and evolving nature.