Hackers attacked DNS servers of DeFi projects from among Namecheap clients

Since June 23, a number of DeFi projects, including Convex Finance, Allbridge, Ribbon Finance and DeFi Saver, have faced attacks on DNS servers. All of them used the services of the Namecheap domain name registrar.

On June 24, the Convex Finance team reported that attackers had seized control of the project’s DNS server in order to invite users to approve malicious smart contracts.

DeFi Saver stated that on June 23 they encountered “an attempt at a DNS attack.” According to the developers, none of the users were injured — the attack was quickly calculated and the necessary measures were taken.

The Ribbon Finance team also reported a DNS attack on the app.ribbon.finance server. The developers said they had closed the vulnerability, but during the incident two users approved malicious smart contracts.

Analysts of the MistTrack platform noted that one of the victims lost 16.5 WBTC (~$350,840 at the exchange rate at the time of writing).

Allbridge developers found that in some cases the smart contract of the application asked for re-approval for EVM-compatible networks, even if it had already been granted earlier.

The investigation showed that the attackers gained access to the DNS records of the cross-chain bridge and issued another request for approval for some users, replacing the address of the Allbridge smart contract to which the interface leads with a malicious one.

In a conversation with ForkLog, Allbridge co-founder Andrey Velikiy stressed that smart contracts have not been compromised, and user funds are safe at the moment.

The team fixed the DNS problem — the project switched to the Cloudflare provider and implemented additional security protocols. Affected users have been notified of the need to revoke approvals.

According to the Great, the project account in Namecheap was protected by two-factor authentication. When the developers contacted the company, it blocked the Allbridge personal account, but refused to provide data that could help sort out the incident.

The specialist also said that about 23 cryptocurrency projects faced a similar DNS attack. He noted that Namecheap is the only common denominator among them, and added that a group of victims is considering filing a lawsuit against the provider.

ForkLog has sent Namecheap a request for comment and will update the material when it receives a response.

Recall that on June 24, a hacker stole about $100 million during an attack on the Horizon cross-chain bridge of the Harmony protocol.