Compound, Celer attack may have been caused by faulty migration system — DNS experts
The July 11 Compound and Celer attacks may have been rooted in a Squarespace migration, and blockchain may help prevent future attacks.
A July 11 domain name system (DNS) attack against multiple Web3 protocols may have been allowed by a faulty Google Domains to Squarespace migration system, according to several DNS experts. According to some of the experts, tokenized web domains will significantly reduce the risk of these types of attacks occurring in the future.
On July 11, multiple Web3 protocols were targeted in a widespread DNS hijacking attack. Blockchain investigator ZachXBT discovered that the website for Compound finance was redirecting to a malicious phishing site designed to steal users’ tokens. Later in the day, Celer Network announced that its website had been targeted, although in this case the attack had been detected and blocked.
Blockchain security firm Blockaid reported that the attack seemed to be associated with “projects hosted on Squarespace,” implying that the vulnerability may have its roots in Squarespace’s domain registration system.
In a July 12 conversation with Cointelegraph, Matt Gould, founder of tokenized domain protocol Unstoppable Domains, theorized that the attack may have been caused by the migration of users from Google Domains to Squarespace, which may have allowed these users to become victims of phishing attacks. Gould stated:
“Right now, if you’re a customer for Google Domains and you need to move over to Squarespace, then you have to create a new account. So you’re a really easy, soft target for someone doing a phishing campaign. They can say, ‘Hey, you need to create your new Squarespace account. You haven’t done it yet. Your time is running out. Click this link.’”
In a post to X, Victor Zhou, founder of tokenized domain protocol Namefi, expressed a similar view. “It [was suspected] […] that the cause was likely these projects were registered by Google Domains. When @Google sold its domain business to @SquareSpace a few months ago, the migration involved forcefully terminating Multi-Factor Authentication, and the attackers were able to compromise it with merely a password.”
A report from cybersecurity firm Security Alliance also blamed a faulty migration process for the hack. According to it, “the most likely explanation” or “strongest theory” is that Squarespace automatically assigned the relevant domains to the Google email addresses associated with their owners.
This allowed the users to access their domains immediately after they created an account on Squarespace. However, because Squarespace does not require email verification for new accounts created with a password, the attacker could log in with just the email of the Google Domains owner. Security Alliance suggested this mistake may have occurred because Squarespace admins assumed users would create their accounts with a Google login.
The report stated:
“Based on all the data we have, we think the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would use the ‘Continue with Google’ login method, […] Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain[.]”
Cointelegraph contacted Squarespace for comments but did not receive a response before publication.
Gould suggested that this type of attack could be prevented in the future if Web3 protocols tokenize their domains and hold them on a blockchain network.
“If we can put domains on-chain, then when you need to make an update to your DNS settings, you could ask the customer to sign a message with their key,” he stated. “And if you put that extra step of security in there, […] then it’s not possible for someone to phish your account […] because they would have to compromise not only your Squarespace account, but they’d have to also compromise your wallet, your key.”
For extra protection, a user could implement a two-of-three multisignature requirement, where at least two team members must sign a transaction to change DNS settings, Gould claimed.
Another more radical option would be to place the web registrar itself onchain. In this case, migrations would no longer be necessary. Changing providers would be like switching from one merchant to another. “If all the records have been onchain and they needed to update the registrar, they wouldn’t have to ask the users to all create new accounts,” he stated.
Related: Pudgy Penguins enables access to its virtual world with Unstoppable Domains
Zhou also claimed that tokenized domains will help to prevent these kinds of attacks. “Tokenized domain names provide the possibility to enable advanced security measures based on their programmable ownership,” he stated. They “can enable Threshold Signature Signing, meaning multiple users can control the domain together.”
Unlike with non-tokenized domains, “where your MFA [multifactor authentication] can be turned off,” tokenized or blockchain-based domains “ensure that MFA is controlled by the domain owner instead of an intermediary like SquareSpace.” And they can allow for a “social recovery mechanism” in case a domain owner loses his private key, Zhou stated.
In Zhou’s view, tokenized domains “provide a much better foundation for advanced security measures” than the current centralized system domain owners have become familiar with.
Despite these potential security improvements, Nick Johnson, founder of tokenized domain protocol Ethereum Name Service (ENS), warned that blockchain-based registry systems are not a silver bullet that will solve all security problems. “Certainly tokenized domains can make it easier to protect yourself against […] user end risks,” Johnson told Cointelegraph on July 22. “Tokenizing your name so that it’s controlled by an Ethereum account, for instance, means that you can put all of the security that applies to your Ethereum account behind it.”
However, he warned that “what it can’t do is protect against issues that come from the provider, like the Squarespace hack, because being able to compromise the provider means you can potentially bypass all of those limitations.”
Although tokenizing domains “brings a lot of benefits,” Johnson stated, “I don’t think it intrinsically makes things more secure.” A better way of gaining security is to be “extraordinarily careful of who you trust with the crown jewels of your organization.”
Johnson claimed that most tokenized domain providers “probably intrinsically have a bit more focus on security than average,” and this may account for the perception that they are more secure. But it doesn’t “automatically make them more secure.”
According to Johnson, the main advantage of tokenizing domains is that it allows domain owners to easily register Ethereum usernames. For example, through an ENS partnership with GoDaddy, owners of GoDaddy domains can create Ethereum usernames through ENS, and to do so, they “simply check a box and enter the address you want your name to resolve to, and you’re done.”
According to GoDaddy’s help page on the topic, the primary advantage for a website owner to have an Ethereum username is that it allows them to receive payments to their domain name. Otherwise, they would need to hand out an Ethereum address to every user who wanted to send them cryptocurrency.
DNS attacks continue to threaten crypto users. On July 23, just 12 days after the attacks against Compound and Celer, crypto exchange dYdX also saw its v3 user interface get hijacked by an attacker. In this case, the attacker injected a malicious crypto-draining app directly into the exchange’s wallet connection function.
Responses