The migration of Google’s domain registrar to Squarespace resulted in more than 120 DeFi domains becoming vulnerable to DNS attacks.
The web2 infrastructure underpinning web3 front-end interfaces continues to pose risks to users.
Experts are urging web3 users to avoid interacting with the front-end interfaces of DeFi protocols after domain migrations associated with Squarespace’s acquisition of Google’s domain business left many websites vulnerable to domain name server (DNS) attacks.
On July 11, the front-end domains for Compound Finance, Pendle Finance, and Celer Network were targeted after the migration resulted in the two-factor authentication (f2a) securing websites previously managed by Google was deactivated. Compound, Pendle, and Celer each tweeted that their domains have since been secured.
“A DNS attack is going on right now affecting Squarespace domain registrar,” tweeted Bobby Ong, the co-founder of CoinGecko. “Best thing to do is to not interact with crypto and rest for the next couple of days until everything is resolved.
0xngmi of DeFi Llama shared a list of more than 120 DeFi domains that could be vulnerable to the attack. “This is a list of all domains that share this registrar so they could be at risk of being hacked,” they said.
Front-end user interfaces (UIs) allow users to interact with DeFi protocols via a typical graphical UI hosted via a web domain. While DeFi projects’ front-ends may be vulnerable, the incident has not impacted underlying web3 back-end protocols — which facilitate server-side operations, databases, and application logic.
Domain migration
In June 2023, Google sold its domain business to Squarespace. However, the websites were not migrated from Google to Squarespace until two days ago on July 10.
It appears that domain owners were not aware that their 2fa would be disabled as part of the transition, exposing numerous domains to potential DNS attacks. Attackers were able to redirect the DNS records of popular DeFi front-end websites to malicious addresses hosting wallet drainers and phishing attacks.
“From initial assessment, it appears that the attackers are operating by hijacking DNS records of projects hosted on SquareSpace,” tweeted Blockaid, a web3 security firm. “The attackers are using a drainer kit associated with the most recent iteration of the Inferno drainer group.”
Inferno Drainer is designed to trick unsuspecting users into approving malicious transactions that transfer a victim’s funds to the hacker’s wallet.
“Our bot detected that a new malicious DNS record was added to redirect Pendle’s dApp to a malicious site,” Pendle tweeted.
According to CertiK, phishing attacks accounted for nearly $498 million worth of losses to crypto exploits during the first half of 2024, equating to 72% of the $688 million lost to all forms of attacks combined.
Squarespace did not respond to The Defiant’s request for comment at the time of publishing.
Related: Bittensor Halts Network After Users Fall Victim To Malicious Python Software
