tl;dr
Fresh insights have emerged about the recent DNS hijacking attack on decentralized finance (DeFi) protocols. Attackers targeted DNS records hosted on Squarespace, impacting Ethereum-based DeFi protocol Compound and multi-chain interoperability protocol Celer Network. Roughly 228 DeFi protocol front ...
DNS hijacking attack on DeFi protocols reveals potential extent and nature of breach. Attackers targeted DNS records hosted on Squarespace, impacting Ethereum-based DeFi protocol Compound and multi-chain interoperability protocol Celer Network. Roughly 228 DeFi protocol front ends still at risk, with Inferno Drainer group exploiting vulnerabilities. Verified onchain records for domains could offer an additional layer of protection against DNS attacks.
Fresh insights have emerged about the recent DNS hijacking attack on decentralized finance (DeFi) protocols. Attackers targeted DNS records hosted on Squarespace, impacting Ethereum-based DeFi protocol Compound and multi-chain interoperability protocol Celer Network. Roughly 228 DeFi protocol front ends are still at risk, associated with Inferno Drainer, a group known for stealing funds from users. An additional layer of protection can be offered by creating verified onchain records for domains, making it harder for hackers to manipulate DNS records. This information was shared by blockchain security firm Blockaid and Web3 domain provider Unstoppable Domains.
In the wake of the recent DNS hijacking attack on decentralized finance (DeFi) protocols, fresh insights have emerged about the potential extent and nature of the breach. The incident, highlighted by various sources, including blockchain security firm Blockaid, involved attackers targeting DNS records hosted on Squarespace. Those records were redirected to IP addresses associated with known malicious activities, Ido Ben-Natan, co-founder and CEO of Blockaid, told Decrypt. Ethereum-based DeFi protocol Compound and multi-chain interoperability protocol Celer Network were impacted Thursday, with their respective front-ends redirecting visitors to a page that drains the funds from connected wallets.
While the full extent of the hijack is not yet known, roughly 228 DeFi protocol front ends are still at risk, Ben-Natan said. "The association to Inferno Drainer is clear as shared onchain and offchain infrastructure," Ben-Natan said. "This includes onchain wallet and smart contract addresses as well as offchain IP addresses and domains linked to Inferno." Inferno Drainer's wallet kit allows cybercriminals to steal funds from unsuspecting users. It operates by prompting users to sign malicious transactions that give the attacker control over their digital assets. Once the transaction is signed, the drainer kit swiftly transfers the funds from the victim's wallet to the attacker's address. The kit is often deployed through phishing websites or compromised domains.
The Inferno Drainer group has been active for some time, targeting various DeFi protocols and exploiting different vulnerabilities. Their use of shared infrastructure makes it easier for security firms to track and identify related attacks, according to Ben-Natan. "Blockaid is able to track the addresses," he said. "Our team has also been working closely with the community to ensure there’s an open channel to report compromised sites." By creating verified onchain records for domains, an additional layer of protection can be offered for browsers and other systems to check, to offset the risk of DNS attacks, said Matthew Gould, founder of Web3 domain provider Unstoppable Domains.
DNS records can be configured not to update unless a verified onchain signature is provided, Gould said. At present, to change DNS records for Web3 domains, users must provide a signature for verification before any updates can be made. Even though this doesn't use an onchain mirror host, it still requires user identity verification for updates, Gould said. A new feature could be added where DNS updates need a signature from the user's wallet, making it much harder for hackers because they would need to hack both the registrar and the user separately, the founder said.