Celer Network thwarts attempted DNS attack that allegedly puts 128 Web3 projects at risk

Quick Take

  • Celer Network intercepted a website takeover; Compound Finance warns of phishing site.
  • Breaches linked to Squarespace’s acquisition of Google Domains and loss of two-factor authentication.
  • Thursday’s attack less successful, with minimal funds stolen and wallets blocking attackers.

Celer Network, one of two Web3 companies whose websites have been compromised, has said it “successfully intercepted” the attempted takeover of its website. The Block reported early Thursday that the issues potentially stem from suspected problems at domain hosting firm Squarespace. Meanwhile, Compound Finance is still warning users not to access its front-end website, which has been redirected to a malicious phishing site.

Phishing schemes are common in crypto. Sometimes, high-profile celebrities or industry luminaries' social media accounts are hacked, and others are sent faulty wallet links. Less common are protocol websites attacked, though it does happen.

Compound DAO security advisor and audit firm OpenZeppelin developer Michael Lewellen said on X that the community should be on high alert and avoid the $2 billion decentralized lending protocol’s website. Celer posted a similar alert four hours later, which has since been deleted.

The original message warned of a “DNS domain attack” that was “hitting multiple projects at the same time.” 

DeFiLlama developer 0xngmi suspects that at least 128 protocols’ front-end websites are also at risk, including popular applications Pendle Finance, dYdX, Thorchain, Axelar and Thorchain. He clarified that these sites are not compromised but are at “risk” because they use Squarespace.

For its part, on Thursday morning, Axelar posted on social media site X that "no issue has been identified with any Axelar website" and that its "teams are continuing to monitor the situation closely."

Squarespace has not confirmed the attacks or posted an alert suggesting they were investigating any compromised systems. The last update on its status page concerned a problem with Domain Reselling that was resolved two weeks ago

Suspected Squarespace vulnerabilities may have lead to breach

Web3 security firm Blockaid and pseudonymous researcher Samczsun both suggested that the issue stems from the Squarespace domain registrar recently acquired from Google Domains. During the transition, several web pages allegedly lost their two-factor authentication, putting them at risk for exploitation. 

Looking at online records, it appears that attackers hijacked the projects’ DNS records and linked them to a new, compromised IP address. 

According to Blockaid, the attackers use a known “drainer kit” associated with the wallet-draining group Inferno Drainer. Inferno has stolen at least $180 million worth of crypto from over 189,000 victims since its inception in August 2023, according to Dune Analytics data.

However, Thursday’s exploit appears to have been less successful. An address linked to the malicious site has less than $1,400 in altcoins. Though active for nearly a year, a second address has more than $142,000 worth of ETH. 

Several wallets, including MetaMask, Coinbase Wallet and Zerion, have already blocked the addresses. 

It is not yet clear how the attack began, whether an employee at Squarespace is the culprit or had been socially engineered, or whether attackers found a way to access the protocol’s accounts. Neither protocol itself was compromised. 

Over the years, attackers have exploited several other DeFi platforms similarly, including Curve Finance, Frax and Pancake Swap.

At least one Web3 project, Aloe Labs, noted that it will move to a new domain name provider. 

 

Updated: July 12 (03:25 UTC): Added statement from Axelar. 


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2024 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Daniel Kuhn is a Senior Journalist and Editor at The Block, where he covers the crypto industry with a particular focus on tech. He previously served as deputy managing editor of opinion/features at CoinDesk. He first appeared in print in Financial Planning, a trade publication magazine. Before journalism, he studied philosophy as an undergrad, English literature in graduate school and business and economic reporting at an NYU professional program. You can connect with him on Twitter and Telegram @danielgkuhn or find him on Urbit as ~dorrys-lonreb.

Editor

To contact the editor of this story:
Lawrence Lewitinn at
[email protected]