1. Home
    2. /DeFi Under Attack: Sophisticated Domain Hijacking Exposed

    DeFi Under Attack: Sophisticated Domain Hijacking Exposed

    The community is recommended to avoid any interaction with DeFi apps housed on Squarespace domains until the danger is totally neutralized.

    Updated Jul 12, 2024
    Pedro Augusto

    Author by

    Pedro Augusto

    DeFi Under Attack: Sophisticated Domain Hijacking Exposed

    Targeting various distributed finance (DeFi) applications, a domain registry hack of great sophistication on July 11 caused illegal user redirections to dangerous websites.

    Affecting major DeFi protocols such Compound Finance and posing a threat to many others within the ecosystem, the hack mostly uses domain names hosted by Squarespace, a widely used website-building platform.

    DNS Entries Altered by Attackers

    The attackers changed the DNS entries, therefore sending customers seeking access to authorized DeFi systems to phishing websites meant to gather private information and assets instead of the other way around.

    Users attempting to use the Compound Finance interface at compound.finance were sent to a phoney website loaded with a drainer program meant for token syphoning first revealed the problem.

    Celer Network’s domain was similarly attacked in a comparable event; but, its monitoring systems successfully stopped the attack before any damage could result.

    Celer Network reported the DNS assault at 1:38 p.m. UTC; Blockaid, a blockchain security platform, had verified that the altered DNS records affected numerous DeFi front ends housed on Squarespace by 3:38 p.m. UTC.

    These events have spurred a lot of debate on the security flaws of DeFi apps depending on conventional Web2 architecture. Security experts believe the attack started from Google domain accounts used by these DeFi platforms.

    All linked sites are now under further scrutiny following Squarespace’s purchase of Google Domains for $180 million.

    List of Potentially Impacted Protocols

    Subsequently, 0xngmi, the creator of DefiLlama, compiled over 100 possibly impacted DeFi protocols. Notable names on this list included Pendle Finance, Axelar, Vertex Protocol, PolyMarket, Karak Network, Hyper Liquid, Thorchain, Hop, dYdX, Polymarket, Satoshi Protocol, Nirvana, and LooksRare.

    Pendle Finance advised users not to use the app as its breach was proven and its page was briefly suspended to stop more usage. Its cash stayed safe.

    While Celer managed to identify and stop the attack beforehand, Compound confirmed that their domain had been hacked leading to redirection to a fraudulent site.

    Both Compound Finance and Celer recognized the DNS takeover. Both companies are still looking at the whole extent of the hack in spite of these measures.

    DeFi
    Metamask Alert

    Reacting, well-known Web3 wallet provider MetaMask has set alarms for consumers making transactions on hacked websites. This tool seeks to raise users’ awareness of possible threats therefore lowering their chance of token theft.

    Moreover, the community is recommended to avoid any interaction with DeFi apps housed on Squarespace domains until the danger is totally neutralized to stop asset theft.

    Ongoing Threats and Necessary Precautions

    Neither Celer Network nor Compound Finance has acknowledged as the situation develops that the threat has been totally eliminated. Although there have not yet been any fund theft recorded, increased awareness is still rather important.

    Emphasizing the crucial need of strong security mechanisms, this current episode fits a trend of growing risks in the Web3 area.

    Previous events like the $70 million Curve Finance hack and the malicious code injection into the Ledger Connect library in December, impacting practically the whole Ethereum Virtual Machine ecosystem, demonstrate the continuous and changing character of these threats.

    Discussed as possible ways to strengthen the crypto ecosystem against such vulnerabilities include initiatives like SEAL 911 Telegram bot and security councils with industry players like Coinbase.

    Pedro Augusto

    Pedro Augusto

    Editor

    Pedro Augusto is a financial writer and editor fluent in Portuguese and English, specializing in finance, economics, and investments. He holds degrees in Mechanical Engineering and Financial Management. Pedro is a financial analyst for stocks, ETFs, and macroeconomics on Seeking Alpha, a seasoned translator in the Forex market for companies like OctaFX and FBS, and experienced in localizing content for the currency exchange and international remittances market, notably for the Remitly startup. Additionally, he's a skilled writer and translator in the cryptocurrency and blockchain sector, working with firms like Phemex and Coinpanda.