A significant domain registry attack compromised the DNS of multiple DeFi applications, including Compound and Celer Network, potentially affecting over 120 protocols using Squarespace domains.

DeFi Apps Under Attack

On July 11, multiple decentralized finance (DeFi) applications became the victims of a significant domain registry attack. Blockchain security firm Blockaid identified a widespread domain hijacking incident that affected Compound Finance, Celer Network, and potentially 120 other DeFi protocols.

The attack followed one on Compound Finance's DNS registry, where its front-end interface at compound.finance being redirected to a phishing site equipped with a drainer app designed to steal user tokens. Compound Labs confirmed the compromise of their website's front-end. However, Celer Network managed to thwart a similar takeover attempt thanks to its domain monitoring system.

Investigation and Initial Findings

Blockaid's investigation revealed that the attacker targeted domain names provided by Squarespace. This puts any DeFi app with a Squarespace domain at risk. The attack was detected initially as benign on July 6 but escalated into a significant threat by July 11.

The attack appears to exploit vulnerabilities in the DNS records of projects hosted on Squarespace. This method allows attackers to gain control over a website and redirect traffic to malicious phishing sites. 

Researcher samczsun from Paradigm suggested that the hack might have originated from Google Domain accounts used by these protocols. Squarespace's acquisition of Google Domains in a $180 million deal last year has put all associated websites under scrutiny.

Broader Impact and Response

0xngmi, a developer from the blockchain analytics platform DefiLlama, shared a list of 126 DeFi protocols that could be potentially affected by the attack. Prominent projects on this list include Thorchain, Aptos Labs, Near, Flare, Pendle Finance, dYdX, Polymarket, Satoshi Protocol, Nirvana, Ferrum, and MantaDAO.

In response to the threat, MetaMask, a popular Web3 wallet, announced efforts to warn users about potentially compromised apps. MetaMask users attempting to transact on known affected sites will receive warnings from Blockaid.

Historical Context and Future Implications

This incident is one of several attacks against the Web3 industry over the past year. In December, an attacker injected malicious code into the Ledger Connect library, impacting nearly the entire Ethereum Virtual Machine ecosystem. The methods used to exploit DeFi protocols range from sophisticated pre-registration tactics to mass domain sign-ups mixed with legitimate Squarespace domains.

The attack underscores the vulnerabilities in the domain registration systems used by DeFi protocols and highlights the need for enhanced security measures to protect these platforms from future threats.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.