Since June 23, a number of DeFi projects have suffered attacks on their DNS servers, including Convex Finance, Allbridge, Ribbon Finance and DeFi Saver. All of them used the services of Namecheap domain registrar.

so far 4 #etherium DeFi projects suffered a DNS hijacking attack.@ConvexFinans @seritfinans @DeFiSaver and Allbridge.

they all use @Namecheap and logged into their account to see that DNS had changed. So far, namecheap has not made any statements.@Namecheap this is serious pic.twitter.com/KD9w8GJAgp

— Lefteris Karapetsas | Recruitment for @rotkiapp (@LefterisJP) 24 June 2022

On June 24, the Convex Finance team reported that attackers took control of the project’s DNS server to prompt users to approve malicious smart contracts.

DeFi Saver said they encountered a “DNS attack attempt” on June 23. According to the developers, no users were harmed – the attack was quickly calculated and the necessary measures were taken.

Thanks to the security alerts, the attack was noticed in real time and the team responded quickly.

As with the others, strong passwords and 2fa were used and we do not recognize the security factors that could lead to this.

We continue to monitor the situation closely.

— DeFi Save (@DeFiSaver) 24 June 2022

The Ribbon Finance team also reported a DNS attack on the app.ribbon.finance server. The developers stated that they patched the vulnerability, but at the time of the event, two users had approved the malicious smart contracts.

Analysts on the MistTrack platform noted that one of the victims lost 16.5 WBTC (~$350,840) at the time of writing.

Ribbon Finance suffered a DNS hijacking attack. On-chain analysis showed it to be the same attacker as Convex. One victim lost 16.5 WBTC. Transaction details https://t.co/65Q8jaKa7u https://t.co/lrwkz6z6AJ pic.twitter.com/3YYJWoTmUq

— MistTrack (@MistTrack_io) 24 June 2022

Allbridge developers discovered that in some cases the app’s smart contract requests reapproval for compatible apps. EVM networks, even if they are already provided.

The investigation showed that the attackers gained access to the DNS records of the cross-chain bridge and sent another confirmation request for some users, replacing the address of the Allbridge smart contract directed by the interface with a malicious one.

4/9 Further investigation revealed that the attacker gained access to the bridge DNS records and triggered another token confirmation request for some users, replacing the Allbridge SC address with a malicious one using first and last symbols similar to our official agreements.

– Allbridge (@Allbridge_io) 24 June 2022

Allbridge co-founder Andrei Veliky emphasized in a conversation with ForkLog that smart contracts are not compromised and user funds are currently safe.

The team fixed the problem with DNS – the project switched to Cloudflare provider and implemented additional security protocols. Affected users have been notified to withdraw their consent.

According to Veliky, the project’s Namecheap account was protected by two-factor authentication. When the developers contacted the company, they blocked Allbridge’s personal account, but refused to provide any data that could help solve the case.

The expert also said that about 23 cryptocurrency projects have faced a similar DNS attack. He noted that the only common denominator between them was Namecheap, adding that the affected group is considering filing a lawsuit against the provider.

ForkLog has submitted a comment request to Namecheap and will update the post when it receives a response.

Recall that on June 24, a hacker stole about $ 100 million during an attack on the Horizon cross-chain bridge of the Harmony protocol.

Read ForkLog bitcoin news in our Telegram – cryptocurrency news, courses and analysis.