Since June 23, a number of DeFi projects, including Convex Finance, Allbridge, Ribbon Finance and DeFi Saver, faced DNS servers attacks. All of them used Namecheap’s domain registrar services.
So far 4 #ethereum DeFi projects experienced a DNS hijack attack.@ConvexFinance @ribbonfinance @DeFiSaver and Allbridge.
They are all using @Namecheap and logged into their accounts to see DNS changed. So far namecheap has provided no explanation.@Namecheap this is serious pic.twitter.com/KD9w8GJAgp
— Lefteris Karapetsas | Hiring for @rotkiapp (@LefterisJP) June 24, 2022
On June 24, Convex Finance announced that attackers had seized control of the project’s DNS server to prompt users to approve malicious smart contracts.
DeFi Saver said that on June 23 they faced a “DNS-attack attempt.” According to the developers, none of the users was harmed — the attack was detected promptly and necessary measures were taken.
The attack was noticed in real time thanks to security alerts and the team swiftly reacted.
Same as with others, strong passwords and 2fa were used and we don’t recognise security factors on our end that could have led to this.
We continue closely monitoring the situation.
— DeFi Saver (@DeFiSaver) June 24, 2022
Ribbon Finance also reported a DNS attack on the app.ribbon.finance server. The developers said they closed the vulnerability, but during the incident two users approved malicious smart contracts.
MistTrack analysts noted that one of the victims lost 16.5 WBTC (~$350,840 at the time of writing).
Ribbon Finance suffered a DNS hijacking attack. On-chain analysis showed that it was the same attacker as Convex. One victim lost 16.5 WBTC. Transaction details https://t.co/65Q8jaKa7u https://t.co/lrwkz6z6AJ pic.twitter.com/3YYJWoTmUq
— MistTrack (@MistTrack_io) June 24, 2022
Allbridge developers found that in some cases the app’s smart contract asked for repeated approval for EVM networks, even if it had already been granted.
Investigations showed that attackers gained access to cross-chain bridge DNS records and for some users issued another approval request, replacing the Allbridge contract address that the interface points to with the malicious one.
4/9 Further investigation uncovered that the attacker gained access to the bridge DNS records and for some users triggered another token approval request, replacing Allbridge SC address with the malicious one, using the similar first and last symbols to our official contracts.
— Allbridge (@Allbridge_io) June 24, 2022
In an interview with ForkLog, Allbridge co-founder Andrey Velikiy stressed that the smart contracts were not compromised, and user funds are currently safe.
The team resolved the DNS issue — the project switched to Cloudflare and implemented additional security protocols. Affected users were notified to revoke approvals.
According to Velikiy, the project’s Namecheap account was protected by two-factor authentication. When the developers contacted the company, it blocked the Allbridge account but refused to provide data that could help resolve the incident.
The specialist also said that around 23 cryptocurrency projects faced a similar DNS attack. He noted that the only common denominator among them is Namecheap, and added that the group of victims is considering suing the provider.
ForkLog sent Namecheap a request for comment and will update the piece when it receives a reply.
CEO Namecheap Richard Kirkendall wrote on Twitter that the company identified a “compromised agent” and removed access.
We’ve traced this down to a specific CS agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating.
— Richard Kirkendall (@NamecheapCEO) June 24, 2022
On June 24, a hacker stole about $100 million in the Horizon cross-chain bridge attack on the Harmony protocol.
Follow ForkLog’s Bitcoin news on our Telegram — crypto news, prices and analytics.