QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$108 000 USD
MAY 2022
GLOBAL
QUICKSWAP
DESCRIPTION OF EVENTS
"On Friday, May 14th at approximately 12 am UTC, hijackers gained access to QuickSwap’s DNS through a vulnerability in GoDaddy - where QuickSwap’s domain was hosted. Before QuickSwap was able to regain control of our domain, several DEX users lost money by swapping through the platform. What follows is a more detailed explanation of what happened, what we’ve done to ensure something like this doesn’t happen again, and a governance proposal about whether QuickSwap should use funds from our treasury to issue an endowment to those who were affected."
"QuickSwap’s co-founder and lead developer Sameep Singhania was on the phone with GoDaddy Support trying to figure out what happened and regain access to our domain. After several hours of arguing and going through multiple GoDaddy representatives, Sameep finally convinced someone on the support team to change the email address back to one that is in QuickSwap’s control. This helpful GoDaddy associate also reset the 2-factor authentication to Sameep’s control. This was all done without GoDaddy’s support staff taking a single measure to confirm Sameep’s identity or ensure that he was the rightful owner of the QuickSwap domain."
"From the GoDaddy logs, we can see that someone was able to change the email address QuickSwap provided to his or her personal address. From our own experience getting the email address reset, we know how easily this can be accomplished with GoDaddy support. After gaining access to the email and 2FA, the attacker changed the password and was then able to change the DNS settings. S/he pulled the code from the beta version of our UI from GitHub and the phishing attack began. All in, approximately $107,600 USD was traded on QuickSwap during the phishing attack and lost to the attacker."
Decentralized exchange QuickSwap used and trusted GoDaddy for their domain name services. One day, an attacker managed to convince GoDaddy to modify the hostnames of the domain, directing the domain name to their own server, where they hosted a malicious replica of the QuickSwap website. Users who tried to interact with the QuickSwap website would be interacting with the malicious version, which routed their funds to the attacker's wallet. In total, the attacker was able to take $108,000 worth of funds before the domain could be fully rerouted back to the proper server. The QuickSwap team has put together a reimbursement fund for all affected users.
BlockThreat - Week 25, 2022 - by Peter Kacherginsky (Mar 18)
Post Mortem on This Weekends Dns Event (Apr 3)
QuickSwap’s GoDaddy Domain Hijack: How it Happened & Our Proposal to Restore the Community - QuickSwap Blog (Apr 3)
QuickSwap - Leading DEX on Polygon (Apr 3)
QuickSwap’s GoDaddy Domain Hijack: How it Happened & Our Proposal to Restore the Community | by QuickSwap Official | Medium (Apr 3)
@Mudit__Gupta Twitter (Apr 3)
BlockThreat - Week 19, 2022 - by Peter Kacherginsky (Apr 3)
@QuickswapDEX Twitter (Apr 3)
Telegram: Contact @QuickSwapAnnouncements (Apr 3)