The recent DNS hijacking attack on decentralized finance (DeFi) protocols has left hundreds of protocol front ends vulnerable. Blockaid, a blockchain security firm, has provided insights into the potential extent and nature of this breach.
Attack on DNS Records Hosted on Squarespace
The attackers targeted DNS records hosted on Squarespace, redirecting them to IP addresses associated with known malicious activities, according to Ido Ben-Natan, co-founder and CEO of Blockaid. The Ethereum-based DeFi protocol Compound and the multi-chain interoperability protocol Celer Network were impacted on Thursday. Their front ends redirected visitors to a page designed to drain funds from connected wallets.
Widespread Vulnerability Across DeFi Protocols
The full extent of the hijack is still unknown, but approximately 228 DeFi protocol front ends remain at risk, as per Ben-Natan’s statements. The attackers have been linked to the Inferno Drainer group, known for its shared onchain and offchain infrastructure, including wallet and smart contract addresses, as well as IP addresses and domains.
Inferno Drainer’s Malicious Operations
Inferno Drainer’s wallet kit is a tool used by cybercriminals to steal funds by prompting users to sign malicious transactions. Once the transaction is signed, the drainer kit swiftly transfers the funds from the victim’s wallet to the attacker’s address. This kit is often deployed through phishing websites or compromised domains.
Blockaid’s Efforts to Combat the Threat
Blockaid is actively tracking the addresses involved in these attacks and is working closely with the community to report compromised sites. By creating verified onchain records for domains, an additional layer of protection can be offered to browsers and other systems, helping to offset the risk of DNS attacks.
Enhancing Security Measures
Matthew Gould, founder of Web3 domain provider Unstoppable Domains, suggested that DNS records can be configured not to update unless a verified onchain signature is provided. To change DNS records for Web3 domains, users must provide a signature for verification before any updates can be made. Even though this doesn’t use an onchain mirror host, it still requires user identity verification for updates.
Gould proposed a new feature where DNS updates would need a signature from the user’s wallet, making it harder for hackers as they would need to hack both the registrar and the user separately.