Major Domain Registry Attack Compromises Multiple DeFi Applications via Squarespace Domains
A significant domain registry attack has compromised the DNS of several DeFi applications, including Compound and Celer Network, potentially affecting over 120 protocols using Squarespace domains.
DeFi Applications Under Attack
On July 11, multiple decentralized finance (DeFi) applications fell victim to a major domain registry attack. Blockchain security company Blockaid identified a widespread domain hijacking incident impacting Compound Finance, Celer Network, and potentially 120 other DeFi protocols.
The attack followed a breach of Compound Finance’s DNS registry, where the front-end interface at compound.finance was redirected to a phishing site equipped with a drainer application designed to stealthily steal user credentials. Compound Labs confirmed the compromise of their site’s front-end. However, Celer Network managed to prevent a similar takeover attempt thanks to its domain monitoring system.
Investigation and Initial Findings
Blockaid’s investigation revealed that the attacker targeted domain names provided by Squarespace. This puts any DeFi application with a Squarespace domain at risk. The attack was initially flagged as benign on July 6 but escalated into a significant threat by July 11.
The attack appears to exploit vulnerabilities in the DNS records of projects hosted on Squarespace. This method allows attackers to gain control of a website and redirect traffic to malicious phishing sites.
Researcher samczsun from Paradigm suggested that the hack may have originated from Google Domain accounts used by these protocols. The acquisition of Google Domains by Squarespace in a $180 million deal last year put all relevant websites under its control.
Broader Impact and Response
0xngmi, a developer from the blockchain analysis platform DefiLlama, shared a list of 126 DeFi protocols that could potentially be affected by the attack. Notable projects on this list include Thorchain, Aptos Labs, Near, Flare, Pendle Finance, dYdX, Polymarket, Satoshi Protocol, Nirvana, Ferrum, and MantaDAO.
In response to the threat, MetaMask, a popular Web3 wallet, announced efforts to warn users about potentially compromised applications. MetaMask users attempting to interact with known affected sites will receive warnings from Blockaid.
Historical Context and Future Implications
This incident is one of several attacks against the Web3 industry over the past year. In December, an attacker inserted malicious code into the Ledger Connect library, affecting nearly the entire Ethereum virtual machine ecosystem. The methods used to exploit DeFi protocols range from sophisticated pre-registration tactics to bulk domain registrations combined with legitimate Squarespace domains.
The attack highlights vulnerabilities in domain registration systems used by DeFi protocols and underscores the need for enhanced security measures to protect these platforms from future threats.
Disclaimer: This article is for informational purposes only. It is not intended to be used as legal, tax, investment, financial, or other advice.
No Comment! Be the first one.