The decentralized finance (DeFi) sector is facing a serious threat due to recent domain hijacking attacks, prompting security experts and industry leaders to advise users to temporarily halt their interactions with crypto services. On July 11, a sophisticated domain registry attack compromised multiple DeFi applications, redirecting users to malicious websites and sparking widespread concern.
The Incident
The breach primarily involved domain names provided by Squarespace, a popular website-building service that recently acquired Google Domains. This acquisition led to a vulnerability in the domain registry system, particularly due to the removal of two-factor authentication (2FA) during the forced migration of domains. This gap allowed attackers to manipulate the domain name system (DNS) entries, intercepting users and redirecting them to phishing sites designed to steal sensitive information and funds.
The attack was first detected when users attempting to access Compound Finance’s interface at compound.finance were redirected to a fraudulent site containing a drainer app meant to steal tokens. Following this, Celer Network’s domain was also targeted, but its monitoring systems successfully intercepted the takeover attempt.
Warnings and Precautions
In response to the attacks, CoinGecko founder Bobby Ong advised the community to refrain from interacting with crypto services until the issue is resolved. “Best thing to do is to not interact with crypto and rest for the next couple of days until everything is resolved,” Ong recommended.
Security researcher Samzsun suggested that affected users consider transferring to more secure domain providers like Cloudflare, Amazon Web Services Route 53, MarkMonitor, and CSC DBS. Additionally, Matthew Gould, CEO of Unstoppable Domains, emphasized that Web3 domains could offer enhanced security through verified onchain records and DNS configurations requiring verified onchain signatures.
Impact and Community Response
Blockchain security platform Blockaid confirmed that the attack affected numerous prominent DeFi protocols, including Compound Finance and Celer Network. The attackers exploited the vulnerabilities in the DNS entries, putting many other applications within the ecosystem at risk. 0xngmi, a developer at DefiLlama, published a list of over 100 potentially affected protocols, such as Pendle Finance, Axelar, Vertex Protocol, PolyMarket, Karak Network, Hyper Liquid, Thorchain, Hop, dYdX, Polymarket, Satoshi Protocol, Nirvana, and LooksRare.
Pendle Finance confirmed the breach and temporarily took down its page, urging users to avoid using the app while ensuring that their funds remained safe. Similarly, MetaMask, a leading Web3 wallet provider, implemented warnings for users attempting to transact on compromised sites to mitigate the risk of token theft.
Ongoing Investigation and Security Measures
Despite proactive measures by Compound Finance and Celer Network, both platforms continue to investigate the full extent of the attack. The current situation underscores the urgent need for robust security measures in the Web3 space. Initiatives like the SEAL 911 Telegram bot and security councils comprising industry leaders, including Coinbase, have been suggested as steps toward building a more secure crypto ecosystem.
Historical incidents, such as the Ledger Connect library compromise and the $70 million exploit involving Curve Finance, highlight the persistent and evolving nature of these threats. As the investigation continues, users are strongly advised to exercise caution and avoid interacting with DeFi dapps until further notice to prevent potential token theft.
In conclusion, the recent domain hijacking attacks have exposed significant vulnerabilities in the DeFi ecosystem, prompting urgent warnings from industry leaders and security experts. Until these issues are fully resolved, the safest course of action for users is to avoid interacting with crypto services to protect their assets and personal information.