DeFi Hack Alert: Squarespace Domains Vulnerable to DNS Hijacking

4 months ago 33
BOOK THIS SPACE FOR AD
ARTICLE AD

DeFi apps on Squarespace are vulnerable to a DNS hijacking attack that redirects users to malicious sites. Over 120 DeFi protocols are potentially vulnerable, including Compound and Celer Network. Learn more about the DeFi security risk and how to protect yourself.

DeFi (Decentralized Finance) has emerged as a revolutionary force in the financial world. By leveraging blockchain technology, DeFi applications aim to empower users with more control over their finances with no interference from intermediaries. However, a recent security breach has exposed a vulnerability in DeFi apps hosted on Squarespace, a popular website-building platform.

The attack involved hackers hijacking the Domain Name System (DNS) records of DeFi applications. DNS acts as the phonebook of the internet, translating human-readable domain names into numerical IP addresses that computers can understand. 

This domain registry attack, which occurred on July 11, 2024, potentially affected around 128 DeFi protocols. Oxngmi, a developer at the blockchain analytics platform DefiLlama shared a list of what they marked as a “List of domains that are registered with Squarespace and thus could be vulnerable.”

celer.network
pendle.finance
karak.network
compound.finance
hyperliquid.xyz
dydx.exchange
thorchain.com
threshold.network
nostra.finance
axelar.network
ariesmarkets.xyz
amnis.finance
mendi.finance
vertexprotocol.com
hop.exchange
polymarket.com
ouchi.finance
cellana.finance
orderly.network
aftermath.finance
yieldyak.com
evaa.finance
idle.finance
aftermath.finance
term.finance
steer.finance
wrapped.com
bitcow.xyz
hover.market
herewallet.app
pooltogether.com
xwin.finance
flat.money
kokonutswap.finance
mstable.org
klaybank.org
premia.finance
port.finance
antfarm.finance
sailingprotocol.org
d8x.exchange
pooltogether.com
apricot.one
tbtc.network
saddle.finance
toucan.earth
yieldyak.com
lockon.finance
aloe.capital
starlay.finance
unsheth.xyz
definix.com
stcelo.xyz
satoshiprotocol.org
fractional.art
stabble.org
kagla.finance
sonne.finance
dackieswap.xyz
88mph.app
ion.wtf
rift.finance
tashi.finance
premia.finance
layer2.finance
dackieswap.xyz
liquidfinance.xyz
tranche.finance
phoenixfi.app
fodl.finance
sailingprotocol.org
snowswap.org
rskswap.com
muuu.finance
sense.finance
aux.exchange
loanshark.tech
option.dance
viamover.com
metastreet.xyz
chainlist.org
jibswap.com
mare.finance
blastbrrr.com
unifiprotocol.com
auragi.finance
summitdefi.com
kassandra.finance
mozaic.finance
archimedesfi.com
3xcalibur.com
dirac.finance
thedragonslair.farm
thegeniustoken.com
esper.finance
astrofi.org
ohmycrypt.com
xbank.finance
nirvana.finance
mare.finance
thorchain.org
olympusdao.finance
avalaunch.app
syncbond.com
gyro.money
rvrs.app
tempus.finance
rare.fyi
ferrum.network
looksrare.org
ratio.finance
opulous.org
nftearth.exchange
pxswap.xyz
aptoslabs.com
unifiprotocol.com
foundation.app
florence.finance
near.org
safe.global
mantadao.app
meowl.xyz
aftermath.finance
litecoin.org
flare.network
tna-btc.com

According to Blockchain security platform Blockaid’s investigation the attacker took control of the DNS registry for Compound Finance and attempted to control Celer Network’s registry. By compromising the DNS records, they were able to intercept legitimate DeFi platforms and redirect users to phishing sites for sensitive information and funds theft.

❗️This incident is still ongoing – we are seeing new malicious sites impersonating additional brands being created by the same attackers.

We urge projects to double check their domain security settings – feel free to reach out by DM for additional security guidance. https://t.co/B2L7JRpzCR

— Blockaid (@blockaid_) July 12, 2024

The attack was detected after users noted that Compound’s interface led to a malicious website featuring a token-draining application, and Celer Network confirmed an attempted domain takeover, which its monitoring system successfully thwarted. Both acknowledged the attack in separate statements.

Further probing revealed that the attacker is specifically targeting Squarespace domain names, which puts every DeFi app with a Squarespace domain at risk.

In response to the attack, MetaMask, a popular Web3 wallet, has implemented a warning system to flag potentially compromised DeFi apps. This additional layer of security aims to protect users from unknowingly interacting with malicious websites.

While the exact methods employed by the attackers remain under investigation, it is speculated that the attack vector likely originated from Google domain accounts used by these protocols. For your information, Squarespace acquired around 10 million domains hosted on Google Domains for $180 million in 2023. This acquisition could have provided attackers with a potential foothold to gain access to sensitive DNS information.

The DeFi space is still in its early stages, and security remains a significant concern. In December 2023, an attacker injected malicious code into the Ledger Connect library, affecting the Ethereum Virtual Machine ecosystem.

These incidents highlight the need for DeFi developers to prioritize robust security measures and for users to exercise caution when interacting with DeFi apps, especially those built on less rigorous security practices.

We Need Smarter Smart Contracts To Prevent DeFi Hacks New ‘NKAbuse’ Linux Malware Uses Blockchain Tech to Spread SnatchCrypto attack hits DeFi, Blockchain Platforms with backdoor Hackers Exploit Harmony’s Horizon Blockchain Bridge to Steal $100M LAZARUS APT Using TraderTraitor Malware to Target Blockchain Orgs
Read Entire Article