Over 120 DeFi protocols at risk in suspected Squarespace DNS attack
Key Takeaways
- Blockaid identified a DNS attack targeting DeFi apps hosted on Squarespace.
- MetaMask is actively warning users about compromised DeFi applications.
Blockchain security firm Blockaid has warned of a possibly widespread domain hijacking incident affecting Compound, Celer Network, and potentially 120 other protocols. According to the report , a new frontend attack was detected today, July 11, preceded by an initially benign attack from July 6.
This development follows a Crypto Briefing report earlier today about Compound Labs’ confirmation that the front-end for their website, compound[.]finance was compromised. Blockaid notes that the attacker has also attempted to compromise Celer Network after gaining control of Compound’s DNS.
The attack was first detected when users noticed Compound’s interface at compound[.]finance redirecting to a malicious website containing a token-draining application. Celer Network also confirmed an attempted takeover of its domain, which was thwarted by its monitoring system.
Blockaid’s investigation suggests the attacker is specifically targeting domain names provided by Squarespace, potentially putting any DeFi app using a Squarespace domain at risk.
“From initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace,” the security firm stated on X .
0xngmi, developer of blockchain analytics platform DefiLlama, shared a list of 125 DeFi protocols that may be affected by this attack. The list includes prominent projects such as Thorchain, Aptos Labs, Near, Flare, Pendle Finance, dYdX, Polymarket, Satoshi Protocol, Nirvana, Ferrum, and MantaDAO, among others.
In response to the threat, Web3 wallet MetaMask announced it is working to warn users of potentially compromised apps associated with the attack. “For those of you using MetaMask, you’ll see a warning provided by @blockaid_ if you attempt to transact on any known site that’s involved in this current attack,” the company stated.
This domain-name hijacking incident is the latest in a series of attacks targeting the DeFi sector. In December, a similar attack saw malicious code injected into the Ledger Connect library , affecting a large portion of the Ethereum Virtual Machine ecosystem.
Possible exploit methods
The possible DNS attack on over 120 DeFi protocols has sparked speculation about the potential exploit methods employed.
According to a security researcher in direct contact with this author, the possible methods could range from sophisticated pre-registration tactics, in which threat actors may have registered domains before the transfers from Google to Squarespace were completed, to mass domain sign-ups potentially mixed with legitimate Squarespace domains.
The researcher, who responded to queries on the condition of anonymity, noted that this series of incidents could have also been executed through DNS cache poisoning, more commonly known as DNS spoofing, a method in which false data is injected into a DNS cache, resulting to DNS queries returning an incorrect response, directing users to wrong, possibly malicious websites.
Based on this author’s conversations with the security researcher, more alarming theories suggest a direct breach of Squarespace’s security, potentially allowing attackers to manipulate DNS records directly from the source.
While a typical domain transfer lock-in period makes some attack vectors less likely, the wide-ranging impact suggests a systemic vulnerability. For context, Squarespace announced that it had completed the acquisition of Google’s domain business on September 7, 2023.
It’s crucial to note that these are speculative theories, not confirmed facts about the attack method. The exploit likely leveraged a combination of tactics or an as-yet-undisclosed vulnerability in the domain management system.
This story is developing and will be updated. Crypto Briefing has reached out to Squarespace for comments.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
SCRTUSDT now launched for futures trading and trading bots
Bitget has launched SCRTUSDT for futures trading with a maximum leverage of 75, along with support for futures trading bots, on November 21, 2024 (UTC+8). Welcome to try futures trading via our official website (www.bitget.com) or Bitget APP. SCRTUSDT-M perpetual futures: Parameters Details Listing
The results of the Solana Radar hackathon have been announced, and the decentralized currency exchange platform Reflect has won the championship
This competition brings together founders and developers from over 120 countries, dedicated to building products in areas such as infrastructure, gaming, decentralized physical infrastructure networks (DePIN), DAOs, DeFi, payments, and various consumer applications.
Solana Hackathon TOP 3, CAI | CharacterX will launch unrestricted AI infrastructure services
In the AI era, infrastructure is like the roads and bridges of the digital world, and what we are building is a highway leading to the infinite possibilities of AI.
Crypto wallet Deblock completes approximately $16.8 million in seed round financing