TLDR
- In an alarming breach, DeFi protocols like Compound Finance and Celer Network were ensnared by a DNS hijack.
- The attack seems focused on domains associated with the Squarespace platform.
- More than 220 DeFi protocol interfaces might still be vulnerable.
- The perpetrators seem to be employing the Inferno Drainer wallet kit to siphon funds.
- There are proposals to enhance defenses, such as mandating wallet signatures for DNS modifications, as a shield against further attacks.
On the 11th of July 2024, several DeFi platforms were compromised by a targeted DNS hijack. The breach involved prominent figures in the cryptocurrency realm, such as Compound Finance alongside Celer Network.
Specialists in security suggest the attack is pinpointing domains linked with Squarespace, a widely used website creation and hosting service.
The breach became evident when users discovered that the Compound Finance URL diverted them to a harmful site.
This deceptive site hosted a 'drainer' application designed to pilfer users' crypto assets. Celer Network soon reported a similar target, but their vigilant domain monitoring thwarted the attack's success.
Blockchain protection agency Blockaid is meticulously observing the situation. Ido Ben-Natan, its co-founder and CEO, noted the attack directed DNS files controlled via Squarespace towards IPs infamous for nefarious actions.
⚠️ The scenario is evolving – Multiple DeFi user interfaces are susceptible to hijacking, with a handful of cases emerging, concerning projects like @compoundfinance and @CelerNetwork getting hacked over the past 24 hours.
We'll keep updating this commentary as more info surfaces. pic.twitter.com/iWQR0ByIgB
— Blockaid (@blockaid_) July 11, 2024
Ben-Natan mentioned that while the complete scope of the breach is yet undetermined, it's expected that around 228 DeFi protocol interfaces remain exposed.
The assault is suspected to be perpetrated by Inferno Drainer, a group notorious for targeting DeFi systems and exploiting their security flaws.
This group's wallet tool deceives users into authorizing harmful transactions, allowing intruders to take over their digital holdings.
Investigators in cybersecurity have pinpointed shared resources used by the Inferno Drainer, simplifying the task of tracking comparable assaults.
Blockaid is working closely with the cryptocurrency sphere to keep open pathways for notifying about vulnerable sites.
This breach has ignited talks about bolstering defensive tactics for DeFi protocols. Web3 domain provider Unstoppable Domains' founder Matthew Gould recommended establishing verified on-chain domain records. Such a system would add a protective layer for verification by browsers and similar platforms, helping to mitigate DNS threats.
Gould also advocated for a novel feature requiring DNS alterations to bear a user's wallet signature. This would complicate matters for intruders, as they'd need to compromise the registrar and the user's wallet independently.
Following the breach, various crypto initiatives and platforms have stepped up their defenses. MetaMask, a noted Web3 wallet, reported efforts to alert users about potentially hazardous applications related to the breach.
Users attempting transactions on any implicated platforms during the current breach will be alerted by Blockaid.
If you're leveraging MetaMask and try to trade on any implicated site in this ongoing threat, you'll be apprised by @blockaid_ The crypto sphere has united in disseminating alertness and minimizing potential impacts. DefiLlama contributor 0xngmi listed over 100 DeFi systems possibly affected, covering recognizable names such as Pendle Finance, dYdX, Polymarket, and LooksRare. #mmsecurity https://t.co/Fk0sAjaeit
— MetaMask ???????? (@MetaMask) July 11, 2024
Editor-in-Chief of Blockonomi and the mind behind Kooc Media, a digital media venture based in the UK, staunch supporter of Open-Source Software, Blockchain, and an accessible and equitable internet for all.
