QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$31 000 USD
JULY 2024
GLOBAL
DYDX EXCHANGE
DESCRIPTION OF EVENTS
"Perpetuals, decentralized." "Trade Perpetual Contracts with low fees, deep liquidity, and up to 25× more Buying Power. Deposit just $10 to get started."
"We built the fastest and most powerful decentralized exchange ever." "Once you deposit to Layer 2, you will no longer pay fees to miners for each transaction." "Trades are executed instantly and confirmed on the blockchain within hours." "Unlike other platforms, there is no wait required to withdraw your funds from Layer 2." "We've redesigned our exchange from the ground up, so you can use it from any device." "StarkWare's Layer 2 solution provides increased security & privacy via zero-knowledge rollups." "Access leverage across positions in multiple markets from a single account."
"dYdX is the leading DeFi protocol developer for advanced trading. Trade 135 cryptocurrencies with low fees, deep liquidity, and up to 20× buying power."
"In 2023, Squarespace acquired the rights to all domains from the now-defunct Google Domains. All domains were migrated over a period of months. The domain dydx.exchange, owned by dYdX Trading, was migrated from Google Domains to Squarespace on June 15, 2024."
"On July 9, while registered with Squarespace, attackers gained access to the dydx.exchange domain, and modified the the DNS Nameservers from Cloudflare to DDoS-Guard. This attack was mitigated by DNSSEC settings that remained set on the registrar. This resulted in would-be-visitors’ browsers failing to authenticate the DNS changes, and correctly blocking users from viewing the page.
dYdX promptly contacted Squarespace customer service during this incident and they restored access to the account quickly according to their account-recovery policies. dYdX ensured that all passwords and 2FA were rotated on Squarespace accounts and that the attacker’s access was fully removed. The attack was completely mitigated and fixed within a couple of hours.
Two days later on July 11, several additional reports of targeted attacks on crypto-specific domains — which had been migrated from Google Domains to Squarespace — were reported. As a result, SEAL, a crypto-focused security team, put together an incident-response team to figure out what was going on, how the attack could be mitigated, and how to get any relevant information to Squarespace itself. At this point, dYdX realized that the earlier incident was likely part of a broader attack against crypto domains, and assisted the investigators. At this time, dYdX also continued to monitor the dydx.exchange domain for any suspicious activity.
On July 14, SEAL published a postmortem on the issue based on their findings, but without much direct information from Squarespace. This postmortem suggested that there were one-or-more technical vulnerabilities in Squarespace that allowed for these attacks to happen.
On July 18, Squarespace posted a longer postmortem which confirmed an exploited security issue with OAuth logins on their site. It included information that the issue was fixed on July 12.
While dYdX decided to change domain registrars, dYdX believed that Squarespace had successfully mitigated the attack and fixed the vulnerability."
"Two users were affected, resulting in a loss of approximately $31,000."
"During the roughly 2 hours that the http://dydx.exchange domain was hijacked, 2 users lost funds totaling about $31k. dYdX Trading is in contact with those users and will ensure that they are made whole."
"On July 23, the dydx.exchange domain was discovered to have been compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address."
"On July 23, it was discovered that the dydx.exchange domain was compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. dYdX immediately contacted Squarespace customer support. Squarespace was able to return possession of the domain as well as fix the DNS Nameserver resolution within a couple of hours. The recovery process was delayed for over 30 minutes due to maintenance from one of Squarespace’s third-party vendors which prevented changing the DNS Nameservers back to Cloudflare.
The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address. During this time, dYdX also worked with SEAL and other partners to ensure that popular crypto wallets like Metamask and Phantom would block the site for the duration of the attack. To our knowledge at the time of publishing, 2 users were affected with approximately $31,000 in lost funds due to this attack. dYdX trading is in contact with both affected users and is assisting in securing their wallets and is committed to recovering funds."
SlowMist Hacked - SlowMist Zone (Aug 30)
DNS Nameserver Hijacking Postmortem (Aug 30)
dYdX - Trade Perpetuals on the most powerful trading platform (Aug 30)
@llamaonthebrink Twitter (Aug 30)
@open4profit Twitter (Aug 30)
@LawrenceChiu14 Twitter (Aug 30)
@dYdX Twitter (Aug 30)
@dYdX Twitter (Aug 30)
@Wazzup_Crypto Twitter (Aug 30)
@DerekTMcKinney Twitter (Aug 30)
@TechFlowPost Twitter (Aug 30)
@dYdX Twitter (Aug 30)
@dYdX Twitter (Aug 30)
@dYdX Twitter (Aug 30)
@dYdX Twitter (Aug 30)
@dYdX Twitter (Aug 30)
@GoPlusSecWareX Twitter (Aug 30)
@Echoeweb Twitter (Aug 30)
@parrot_coins Twitter (Aug 30)
@veritas_web3 Twitter (Aug 30)