close
close

Over 120 DeFi protocols compromised in suspected Squarespace DNS attack

The central theses

  • Blockaid has identified a DNS attack targeting DeFi apps hosted on Squarespace.
  • MetaMask actively warns users about compromised DeFi applications.

Share this article

Blockchain security firm Blockaid has warned of a potentially widespread domain hijacking incident affecting Compound, Celer Network, and potentially 120 other protocols. According to the report, a new frontend attack was discovered today, July 11, following an initially benign attack on July 6.

This development follows a Crypto Briefing report from today in which Compound Labs confirmed that the front-end of their website Compound(.)finance was compromised. Blockaid notes that the attacker also attempted to compromise Celer Network after gaining control of Compound’s DNS.

The attack was first discovered when users noticed that the Compound interface at compound(.)finance redirected to a malicious website containing a token-draining application. Celer Network also confirmed a takeover attempt of its domain that was thwarted by its monitoring system.

Blockaid’s investigation suggests that the attacker is specifically targeting domain names provided by Squarespace, potentially compromising any DeFi app that uses a Squarespace domain.

“Based on an initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace,” the security company explained on X.

0xngmi, developer of the blockchain analytics platform DefiLlama, has published a list of 125 DeFi protocols that could be affected by this attack. The list includes prominent projects such as Thorchain, Aptos Labs, Near, Flare, Pendle Finance, dYdX, Polymarket, Satoshi Protocol, Nirvana, Ferrum, and MantaDAO, among others.

In response to the threat, Web3 wallet MetaMask announced that it was working to warn users about potentially compromised apps linked to the attack. “If you use MetaMask, you will see a warning from @blockaid_ when you attempt to transact on a known site involved in this current attack,” the company explained.

This domain name hijacking incident is the latest in a series of attacks on the DeFi sector. In December, a similar attack injected malicious code into the Ledger Connect library, affecting a large part of the Ethereum Virtual Machine ecosystem.

Possible exploit methods

The possible DNS attack on over 120 DeFi protocols has sparked speculation about the exploit methods that may have been used.

According to a security researcher in direct contact with the author, the possible methods could range from sophisticated pre-registration tactics, where threat actors may have registered domains before the transfer from Google to Squarespace was complete, to mass registrations of domains that may have been mixed with legitimate Squarespace domains.

The researcher, who responded to requests for comment on the condition of anonymity, pointed out that this series of incidents could also have been caused by DNS cache poisoning, better known as DNS spoofing, a method that involves injecting false data into a DNS cache, causing DNS requests to return an incorrect response and redirecting users to fake, potentially malicious websites.

Based on this author’s conversations with the security researcher, more alarming theories point to a direct breach of Squarespace’s security, potentially allowing attackers to tamper with DNS records directly from the source.

While a typical domain transfer lock-in period makes some attack vectors less likely, the wide-ranging impact suggests a systemic vulnerability. For context, Squarespace announced that it has completed its acquisition of Google’s domain business on September 7, 2023.

It is important to note that these are speculative theories and not confirmed facts about the attack method. The exploit likely used a combination of tactics or a previously undisclosed vulnerability in the domain management system.

This story is developing and will be updated. Crypto Briefing has reached out to Squarespace for comment.

Share this article