TLDR
- Multiple DeFi protocols, including Compound Finance and Celer Network, were targeted in a DNS hijacking attack.
- The attack appears to be targeting domains registered through Squarespace.
- Over 220 DeFi protocol front ends may still be at risk.
- The attackers are believed to be using the Inferno Drainer wallet kit to steal funds.
- Some security measures, like requiring wallet signatures for DNS updates, have been suggested to prevent future attacks.
On July 11, 2024, several decentralized finance (DeFi) protocols were hit by a DNS hijacking attack. The incident affected major players in the crypto space, including Compound Finance and Celer Network.
Security experts believe the attack is targeting domains registered through Squarespace, a popular website builder and hosting platform.
The attack was first noticed when users reported that the Compound Finance website (compound.finance) was redirecting to a malicious page.
This fake page contained a “drainer” app designed to steal users’ cryptocurrency tokens. Shortly after, Celer Network announced that it had also been targeted, but its domain monitoring system caught the attack before it could succeed.
Blockchain security firm Blockaid has been closely monitoring the situation. According to Ido Ben-Natan, co-founder and CEO of Blockaid, the attackers targeted DNS records hosted on Squarespace. These records were redirected to IP addresses known for malicious activities.
⚠️ Developing situation – Multiple DeFi front ends are at risk of hijacking, with a few incidents already taking place, with projects like @compoundfinance and @CelerNetwork getting hacked over the past 24 hours.
We will update this thread with details as we go. pic.twitter.com/iWQR0ByIgB
— Blockaid (@blockaid_) July 11, 2024
Ben-Natan stated that while the full extent of the hijack is not yet known, approximately 228 DeFi protocol front ends could still be at risk.
The attack is believed to be the work of a group known as Inferno Drainer. This group has been active for some time, targeting various DeFi protocols and exploiting different vulnerabilities.
Their wallet kit allows cybercriminals to trick users into signing malicious transactions, giving the attackers control over their digital assets.
Security researchers have identified shared infrastructure used by the Inferno Drainer group, making it easier to track and identify related attacks.
Blockaid has been working closely with the crypto community to maintain an open channel for reporting compromised sites.
The incident has sparked discussions about improving security measures for DeFi protocols. Matthew Gould, founder of Web3 domain provider Unstoppable Domains, suggested creating verified on-chain records for domains. This would add an extra layer of protection for browsers and other systems to check, helping to reduce the risk of DNS attacks.
Gould also proposed a new feature where DNS updates would require a signature from the user’s wallet. This would make it much harder for hackers, as they would need to compromise both the registrar and the user’s wallet separately.
In response to the attack, several crypto projects and platforms have taken action. MetaMask, a popular Web3 wallet, announced that it is working to warn users of potentially compromised apps associated with the attack.
Users attempting to transact on any known site involved in the current attack will see a warning provided by Blockaid.
For those of you using MetaMask, you’ll see a warning provided by @blockaid_ if you attempt to transact on any known site that’s involved in this current attack. #mmsecurity https://t.co/Fk0sAjaeit
— MetaMask ???????? (@MetaMask) July 11, 2024
The crypto community has rallied to spread awareness and minimize potential damage. DefiLlama developer 0xngmi shared a list of over 100 DeFi protocols that may be affected by the attack, including well-known names like Pendle Finance, dYdX, Polymarket, and LooksRare.