Over 120 DeFi protocols at risk in suspected Squarespace DNS attack

Blockchain security firm Blockaid has warned of a possibly widespread domain hijacking incident affecting Compound, Celer Network, and potentially 120 other protocols. According to the report, a new frontend attack was detected today, July 11, preceded by an initially benign attack from July 6.

This development follows a Crypto Briefing report earlier today about Compound Labs’ confirmation that the front-end for their website, compound[.]finance was compromised. Blockaid notes that the attacker has also attempted to compromise Celer Network after gaining control of Compound’s DNS.

The attack was first detected when users noticed Compound’s interface at compound[.]finance redirecting to a malicious website containing a token-draining application. Celer Network also confirmed an attempted takeover of its domain, which was thwarted by its monitoring system.

Blockaid’s investigation suggests the attacker is specifically targeting domain names provided by Squarespace, potentially putting any DeFi app using a Squarespace domain at risk.

“From initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace,” the security firm stated on X.

0xngmi, developer of blockchain analytics platform DefiLlama, shared a list of 125 DeFi protocols that may be affected by this attack. The list includes prominent projects such as Thorchain, Aptos Labs, Near, Flare, Pendle Finance, dYdX, Polymarket, Satoshi Protocol, Nirvana, Ferrum, and MantaDAO, among others.

In response to the threat, Web3 wallet MetaMask announced it is working to warn users of potentially compromised apps associated with the attack. “For those of you using MetaMask, you’ll see a warning provided by @blockaid_ if you attempt to transact on any known site that’s involved in this current attack,” the company stated.

This domain-name hijacking incident is the latest in a series of attacks targeting the DeFi sector. In December, a similar attack saw malicious code injected into the Ledger Connect library, affecting a large portion of the Ethereum Virtual Machine ecosystem.

Possible exploit methods

The possible DNS attack on over 120 DeFi protocols has sparked speculation about the potential exploit methods employed.

According to a security researcher in direct contact with this author, the possible methods could range from sophisticated pre-registration tactics, in which threat actors may have registered domains before the transfers from Google to Squarespace were completed, to mass domain sign-ups potentially mixed with legitimate Squarespace domains.

The researcher, who responded to queries on the condition of anonymity, noted that this series of incidents could have also been executed through DNS cache poisoning, more commonly known as DNS spoofing, a method in which false data is injected into a DNS cache, resulting to DNS queries returning an incorrect response, directing users to wrong, possibly malicious websites.

Based on this author’s conversations with the security researcher, more alarming theories suggest a direct breach of Squarespace’s security, potentially allowing attackers to manipulate DNS records directly from the source.

While a typical domain transfer lock-in period makes some attack vectors less likely, the wide-ranging impact suggests a systemic vulnerability. For context, Squarespace announced that it had completed the acquisition of Google’s domain business on September 7, 2023.

It’s crucial to note that these are speculative theories, not confirmed facts about the attack method. The exploit likely leveraged a combination of tactics or an as-yet-undisclosed vulnerability in the domain management system.

This story is developing and will be updated. Crypto Briefing has reached out to Squarespace for comments.