DeFi Apps Frontend Targeted in Domain Registry Attack on Squarespace

On July 11, several decentralized finance (DeFi) apps fell victim to a domain registry attack, according to a post on X by Blockaid. The initial investigation suggests the attacker is targeting domain names hosted by Squarespace, putting any DeFi app using a Squarespace domain at potential risk.

The attacker managed to take over the DNS registry for Compound Finance and attempted, but failed, to do the same with Celer Network's registry. The issue first came to light when security researchers noticed the Compound interface at compound.finance was redirecting users to a malicious site. This site featured a drainer app designed to steal users' tokens.

At 1:38 pm UTC, Celer Network disclosed that it had also been targeted. However, thanks to its domain monitoring system, Celer detected and intercepted the takeover before any damage could be done. By 3:38 pm UTC, Blockaid had issued a warning that "multiple DeFi front ends are at risk of hijacking, with a few incidents already taking place." The attackers seem to be hijacking DNS records of projects hosted on Squarespace.

0xngmi, a developer at DefiLlama, shared a list of potentially affected domains. This list includes over 100 DeFi protocols like Pendle Finance, dYdX, Polymarket, Satoshi Protocol, Nirvana, and LooksRare, among others. Web3 wallet MetaMask warned users about possibly compromised apps linked to the attack. "For those of you using MetaMask, you’ll see a warning provided by @blockaid_ if you attempt to transact on any known site involved in this current attack," MetaMask announced.