Celer Network, one of two Web3 companies whose websites have been compromised, reported that it “successfully intercepted” an attempted takeover of its website. The Block reported early Thursday that the issues potentially stem from suspected problems at domain hosting firm Squarespace. Meanwhile, Compound Finance continues to warn users not to access its front-end website, which has been redirected to a malicious phishing site.
Phishing schemes are common in the crypto world. Often, hackers gain access to high-profile celebrities’ or industry luminaries’ social media accounts and send faulty wallet links to unsuspecting followers. Attacks on protocol websites are less common but do happen occasionally.
Celer Network Heightened Security Alerts Amid Ongoing Threats
Compound DAO security advisor and Open Zeppelin developer Michael Lewellen warned the community on X (formerly Twitter) to be on high alert and avoid the $2 billion decentralized lending protocol’s website. Celer Network issued a similar alert four hours later, which has since been deleted. The original message warned of a “DNS domain attack” targeting multiple projects simultaneously.
DeFiLlama developer 0xngmi suspects that at least 128 protocols’ front-end websites are also at risk, including popular applications like Pendle Finance, dYdX, Thorchain, and Axelar. He clarified that while these sites are not currently compromised, they are at risk due to their use of Squarespace for domain hosting.
Suspected Vulnerabilities at Squarespace
Web3 security firm Blockaid and pseudonymous researcher Samczsun both suggested that the issue stems from vulnerabilities in the Squarespace domain registrar, which was recently acquired from Google Domains. During the transition, several web pages allegedly lost their two-factor authentication, making them susceptible to exploitation.
Online records indicate that attackers hijacked the projects’ DNS records and linked them to a new, compromised IP address. According to Blockaid, the attackers used a known “drainer kit” associated with the wallet-draining group Inferno Drainer. Since its inception in August 2023, Inferno Drainer has stolen at least $180 million worth of crypto from over 189,000 victims, according to Dune Analytics data.
However, Thursday’s exploit appears to have been less successful. An address linked to the malicious site has less than $1,400 in altcoins, and a second address, active for nearly a year, has more than $142,000 worth of ETH. Several wallets, including MetaMask, Coinbase Wallet, and Zerion, have already blocked these addresses.
Uncertain Origins of the Attack
It is not yet clear how the attack began. Whether an employee at Squarespace is the culprit, whether they were socially engineered, or whether attackers found a way to access the protocol’s accounts remains unknown. Notably, neither the Celer Network nor Compound Finance protocols themselves were compromised.
In the past, several other DeFi platforms, including Curve Finance, Frax, and Pancake Swap, have faced similar exploits. These incidents highlight the ongoing vulnerabilities in the DeFi space and the need for robust security measures.
Response and Future Precautions
At least one Web3 project, Aloe Labs, has decided to move to a new domain name provider following these attacks. This proactive measure underscores the importance of choosing secure and reliable domain hosting services to protect against potential vulnerabilities.
The crypto community continues to navigate the challenges of ensuring security and protecting assets in an evolving digital landscape. As these incidents show, vigilance and prompt action are essential in safeguarding against malicious actors seeking to exploit the decentralized finance ecosystem.
In conclusion, while Celer Network managed to intercept the attack on its website, the broader threat to numerous other Web3 projects remains. The incidents underscore the critical need for enhanced security protocols and cooperation within the crypto community to mitigate risks and protect user assets.
