$72 000 USD

MAY 2022

GLOBAL

SPIRITSWAP

DESCRIPTION OF EVENTS

"Embrace your DeFi SPIRIT. The SpiritSwap protocol captures the essence of everything Defi 2.0 on the Fantom network, delivering a complete hub for trading, invest regularly, farming and reward sharing."

 

"SpiritSwap is a decentralized exchange (DEX) on the Fantom Opera Chain. SpiritSwap's design was originally based on the Uniswap constant-product automated market maker (AMM).

 

With the recent Uniswap V3 license expiry sparking a wave of innovation and forks in the crypto community, SpiritSwap is integrating Algebra into its protocol to enhance efficiency and capitalize on crypto assets. The integration of Algebra's codebase offers SpiritSwap and its users a unique advantage, setting it apart from Uniswap V3 and other DEXs. Algebra's technology promises to redefine the DeFi space, offering market participants new opportunities and efficiencies not available in traditional DEX models."

 

"Back in May, 2022 a GoDaddy employee was social engineered to take over SpiritSwap and QuickSwap domains. Unsuspecting users approved transfers to malicious contracts advertised on evil clones of the original websites."

 

"The team became aware that something was amiss via alerts from the moderator team and began investigating right away. (special thanks to our mods for being so active and vigilant, this is testament to how amazing you guys are!)"

 

"After spending 7 hours on various calls, the team was able to secure a higher point of contact to escalate the issue to GoDaddy.

 

During this time, the team sent an email explicitly highlighting the severity of the situation, detailing the loss of funds and pleading with GoDaddy that the longer they delayed verification of team ownership, the more funds would be liable for loss.

 

Ironically, the attacker was able to socially engineer the team at GoDaddy easier than SpiritSwap was able to verify its authority over the account. It is understood that GoDaddy has processes in place to follow, however this was not ideal given the urgency of the situation."

 

"1. As a precautionary measure, we have now changed domain providers to a company the team feels have better security layers and won’t be as easily socially engineered. The migration is now complete. With this new domain provider we have upgraded our package to a business tier which gives us a higher level of security and priority support in the event that we require their assistance. We have also spoken with this domain provider to ensure additional layers of security are implemented on their end.

 

2. The team has composed a war chest of strategies to throw barriers in the way of other possible attackers. For security reasons we will obviously not be disclosing these publicly.

 

3. As part of V2, the team is taking steps to make sure that our frontend interacts with a middleware which interacts with web3, so if a hacker were to gain control of the frontend the middleware would prevent any manipulation of web3 calls.

 

4. We are learning from top end protocols like Uniswap on best practices for decentralized hosting of the frontend to mitigate risks of such an attack being possible in the future."

 

"All affected users will be compensated in full for the swaps that they lost."

Decentralized exchange SpiritSwap used and trusted GoDaddy for their domain name services. One day, an attacker managed to convince GoDaddy to modify the hostnames of the domain, directing the domain name to their own server, where they hosted a malicious replica of the SpiritSwap website. Users who tried to interact with the SpiritSwap website would be interacting with the malicious version, which routed their funds to the attacker's wallet. In total, the attacker was able to take $72,000 worth of funds before the domain could be fully rerouted back to the proper server. The SpiritSwap team has put together a reimbursement fund for all affected users.

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.