- Multiple DeFi platforms including Compound Finance have fallen victim to a DNS attack
- Attackers have compromised the websites of affected projects and are directing visitors to wallet drainers
- The amount stolen through the attack is currently unknown
DeFi protocols are experiencing a DNS attack that has taken hostage their websites with malicious actors directing visitors to crypto wallet drainers. Some protocols that have fallen victim to this attack include Compound Finance, Celer Network and Pendle Finance. The attack was discovered by web3 security tool Blockaid which thinks multiple DeFi protocols are still at risk of hijacking, indicating that DeFi users should be cautious when accessing their favorite DeFi website.
Over 120 DeFi Protocols at Risk
According to a Blockaid investigation, attackers are targeting DeFi platforms using Squarespace domain names. It’s estimated that more than 120 platforms may be affected. The list of potentially affected protocols includes domain names of NFT marketplaces like LooksRare.
From initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace.
For instance, here’s the DNS history of compound.finanace – we can see that earlier today, the DNS was hijacked to point to a new IP address: pic.twitter.com/y7iSBw1aAJ
— Blockaid (@blockaid_) July 11, 2024
Crypto wallets like MetaMask are warming users when they try to interact with an address associated with the attack. Some of the compromised platforms have taken to social media to warn their users against interacting with project websites until the issue has been resolved.
🚨 URGENT: The Compound Labs website (compound[.]finance) has been compromised.
Please do not visit the website or clink any links until further notice. An update will be provided when available.
This is our final message // end of tweet. 🚨
— Compound Labs (@compoundfinance) July 11, 2024
Security researchers have noted that it’s likely that the attack doesn’t impact DeFi protocols’ smart contracts meaning that funds locked in the contracts are safe. The researchers have also insinuated that the problem may be localized to the domain name registrar. Compound Finance has regained access to its website and disclosed that user funds are safe.
✅ Update: Thanks to the tenacious efforts of so many in the community, the https://t.co/Dcq4ZkswRX website is once again secure. Please always remain vigilant in clicking links to avoid phishing scams.
Make sure to restart your browser to ensure visiting the proper website. If…
— Compound Labs (@compoundfinance) July 12, 2024
The attack isn’t a new thing in the crypto space. Websites that have encountered a similar attack in the past include Etherscam and Blockworks where scammers created replicas and linked them to wallet drainers.
Wallet Drainers on Social Media Accounts
Wallet drainers are becoming a preferred tool among scammers with malicious actors even hacking social media accounts of popular entities like Microstrategy and directing unsuspecting followers to wallet drainers.
With the current attack associated with a domain name registrar, many more websites are likely compromised leading to a significant amount of stolen funds.
