Hackers Step Up Attempts to Hijack DeFi Websites

Hackers are increasingly targeting the front-end websites of DeFi protocols in a bid to steal users’ funds.

Convex Finance, a protocol offering boosted rewards for Curve liquidity providers and stakers, is urging users to be diligent in checking the addresses for contract approvals after its website was hijacked on Thursday.

Spoofing Attack

Convex is the sixth-largest DeFi protocol with a total value locked (TVL) of $3B, despite TVL dropping 6% over the past 24 hours, according to DeFi Llama.

On June 23, angel investor Alexintosh tweeted that Convex Finance was asking users to approve an unverified smart contract address, suggesting a hacker may have infiltrated Convex Finance’s website to execute a DNS (domain name server) spoofing attack.

Domain Name Servers allow users to access websites via simple text-based web addresses instead of typing out the exact IP address of each website they wish to visit, making the internet easier to use.

Convex Finance later confirmed that its DNS had indeed been hijacked, resulting in some users mistakenly approving malicious contracts. Convex launched two alternative domain names from which users can access the protocol as a precaution while an ongoing investigation into the DNS hijack is conducted.

The Convex team asked the owners of the wallets that had been spoofed to make contact via Twitter DM or its Discord channel. It also emphasized that user funds held in its verified smart contract remain safe and unaffected.

Security Precaution

Twitter user Bret Woods urged web3 users to carefully verify the addresses involved in every single crypto transaction they make as a security precaution. “Even on trusted sites we’re seeing UIs being hacked, leading to erroneous token approvals,” they said.

Meme-token DogeBonk tweeted that Convex should have used Domain Name System Security Extensions (DNSSEC) to add cryptographic authentication and defend against spoofing attacks.

The price of Convex’s native CVX token appears unaffected by the incident, having gained 2.5% in one day to trade for $4.60, according to CoinGecko.

Hijacking Attack

Convex is not the first DeFi project to suffer a DNS hijacking attack.

In March 2021, both Cream Finance and PancakeSwap reported that DNS spoofers had compromised their websites. The attack resulted in both protocols’ front-end websites requesting users to enter their seed phrase. If entered, the phrase would allow the attacker to take control of users’ wallets and drain their funds.

In December, BadgerDAO users lost about $130M in a front-end attack when its API key for Cloudflare, a website security service, was compromised. The attacker injected a malicious script into Badger’s front-end, intercepting transactions and requesting users to approve contracts under the hacker’s control.