DeFi
DNS hijacking attack targets multiple DeFi protocols
Full summary
- Several DeFi protocols, including Compound Finance and Celer Network, were targeted by a DNS hijacking attack.
- The attack appears to target domains registered through Squarespace.
- More than 220 DeFi protocol frontends could still be at risk.
- The attackers are believed to be using the Inferno Drainer wallet kit to steal funds.
- Some security measures, such as requiring wallet signatures for DNS updates, have been suggested to prevent future attacks.
On July 11, 2024, several decentralized finance (DeFi) protocols were hit by a DNS hijacking attack. The incident affected major players in the crypto spaceincluding Compound Finance and Celer Network.
Security experts believe the attack targets domains registered through Squarespace, a popular website building and hosting platform.
The attack was first noticed when users reported that the Compound Finance website (compound.finance) was redirecting to a malicious page.
The fake page contained a “drainer” application designed to steal users’ cryptocurrency tokens. Shortly after, Celer Network announced that it had also been targeted, but its domain monitoring system detected the attack before it was successful.
Blockchain security firm Blockaid is closely monitoring the situation. According to Ido Ben-Natan, Blockaid’s co-founder and CEO, the attackers targeted DNS records hosted on Squarespace. These records were redirected to IP addresses known for malicious activity.
⚠️ Developing situation – Several DeFi front-ends are at risk of being hacked, with a few incidents having already occurred, with projects like @compoundfinance And @CelerNetwork hacked in the last 24 hours.
We will update this thread with details as they become available. pic.twitter.com/iWQR0ByIgB
— Blockaid (@blockaid_) July 11, 2024
Ben-Natan said that while the full extent of the hack is not yet known, approximately 228 DeFi protocol interfaces could still be at risk.
The attack is believed to be the work of a group known as Inferno Drainer. This group has been active for some time, targeting various DeFi protocols and exploiting different vulnerabilities.
Their wallet kit allows cybercriminals to trick users into signing malicious transactions, giving the attackers control of their digital assets.
Security researchers have identified shared infrastructure used by the Inferno Drainer group, making it easier to track and identify associated attacks.
Blockaid has worked closely with the crypto community to maintain an open channel for reporting compromised sites.
The incident has sparked discussions about improving security measures for DeFi protocols. Matthew Gould, founder of Web3 domain provider Unstoppable Domains, suggested creating verified on-chain records for domains. This would add an extra layer of protection for browsers and other systems to verify, helping to reduce the risk of DNS attacks.
Gould also proposed a new feature where DNS updates would require a signature from the user’s wallet. This would make it much harder for hackers, as they would have to compromise the registrar and the user’s wallet separately.
In response to the attack, several cryptocurrency projects and platforms have taken action. MetaMask, a popular Web3 wallet, announced that it was working to warn users of potentially compromised applications associated with the attack.
Users attempting to make a transaction on a site known to be involved in the current attack will see a warning provided by Blockaid.
For those of you using MetaMask, you will see a warning provided by @blockaid_ if you attempt to make a transaction on a known site involved in this current attack. #mmsecurity https://t.co/Fk0sAjaeit
— MetaMask ???????? (@MetaMask) July 11, 2024
The crypto community has stepped up to raise awareness and minimize potential damage. DefiLlama developer 0xngmi shared a list of over 100 DeFi protocols that could be affected by the attack, including well-known names like Pendle Finance, dYdX, Polymarket, and LooksRare.