• Several DeFi apps, including Compound Finance, were targeted in a domain registry attack, leading to control of the DNS registry by the attacker.
  • According to the CEO of Blockaid, there are about 228 DeFi protocol interfaces that are still vulnerable.

On July 11, according to a post on X (previously Twitter) from blockchain security platform Blockaid, several decentralized finance (DeFi) apps were targeted in a domain registry attack. The attacker took control of the DNS registry for the Ethereum-based DeFi protocol, Compound Finance.

The same day, researcher ZachXBT warned users on Telegram to avoid the Compound Finance website, which redirected to a phishing site. The DeFi protocol was the first to be hijacked because of the vulnerability.

Multi-chain interoperability protocol, Celer Network reported a similar cyber attack but successfully defended against it. Meanwhile, DefiLlama developer “0xngmi” identified and shared a list of over 100 vulnerable domains on GitHub, including Polymarket, dYdX, and Pendle Finance. 

Blockaid suspects the attacker is exploiting domain names hosted on Squarespace, potentially endangering any DeFi app using Squarespace domains.

Now, according to Decrypt media, about 228 DeFi protocol interfaces remain vulnerable. Ido Ben-Natan, co-founder and CEO of Blockaid, told Decrypt that the association with Inferno Drainer is evident. This includes onchain wallet and smart contract addresses as well as offchain IP addresses and domains linked to Inferno.

In the past year, domain name hijacking has been a problem for the Web3 industry. In December last year, an attacker inserted harmful code into the Ledger Connect library, which is widely used by most Web3 apps for wallet connections, impacting almost the entire Ethereum Virtual Machine ecosystem.

Edited by Harshajit Sarmah