Convex Finance Malicious DNS Hijack - Revision history

Azoundria: COMPLETE another 30 minutes. All transaction links were found/confirmed to be already integrated with Convex Finance. Reviewed and updated the article with additional information.

2024-02-26T17:42:26Z

COMPLETE another 30 minutes. All transaction links were found/confirmed to be already integrated with Convex Finance. Reviewed and updated the article with additional information.

Show changes

Azoundria: Blackchain analytics links added in.

2023-12-28T18:47:13Z

Blackchain analytics links added in.

← Older revision		Revision as of 12:47, 28 December 2023
Line 46:		Line 46:
	\|-		\|-
	\|June 20th, 2022 3:05:42 AM		\|June 20th, 2022 3:05:42 AM
	\|First Malicious Contract		\|First Malicious Contract Creation
	\|The very first smart contract is created by a wallet controlled from the attacker<ref>[https://etherscan.io/tx/0x50e6924604c8b1e1f8096f01aca0b35836c7d168fc0e99631f43d683717b13b5 First ~~Smart~~ Contract ~~Creation~~ - ~~EtherScan~~] (Feb 23, 2023)</ref>.		\|The very first smart contract is created by a wallet controlled from the attacker<ref name=":8">[https://etherscan.io/tx/0x50e6924604c8b1e1f8096f01aca0b35836c7d168fc0e99631f43d683717b13b5 First Transaction Creating Malicious Contract 0x65a8...3b2f - Etherscan] (Feb 23, 2023)</ref>. Malicious contract 0x65a8...3b2f<ref name=":9">[https://etherscan.io/address/0x65a8e56ee6b549456fd8927db3fa526b8d143b2f Unused Contract 0x65a8...3b2f - Etherscan] (Feb 27, 2023)</ref> was created by wallet 0x5622...781a<ref name=":8" /><ref name=":10">[https://etherscan.io/address/0x5622c77e1484840048d2064326ac77ddaad17d1a Wallet Address 0x5622...7d1a Who Created 0x65a8...3b2f - Etherscan] (Feb 27, 2023)</ref>.
	\|-		\|-
	\|June 20th, 2022 7:11:15 AM MDT		\|June 20th, 2022 7:11:15 AM MDT
Line 185:		Line 185:
	The domain names were modified to point to a server which displayed a similar website to Convex Finance, and requested the user to provide approval to vanity smart contracts which had the same first and last 4 characters as the official smart contract address of Convex Finance<ref name="stefanpatatutwitter-8881" />.		The domain names were modified to point to a server which displayed a similar website to Convex Finance, and requested the user to provide approval to vanity smart contracts which had the same first and last 4 characters as the official smart contract address of Convex Finance<ref name="stefanpatatutwitter-8881" />.

	Instead of function as the standard Convex Finance smart contract would, this new smart contract would enable the attacker to drain all of the user's funds from their wallet.<blockquote>"The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."</blockquote>Smart Contracts Used:<ref>[https://etherscan.io/address/0xf403a2c10b0b9fef8f0d4f931df5d86ad187ae31 Vanity Phishing Smart Contract - Etherscan] (Dec 7, 2o23)</ref>		Instead of function as the standard Convex Finance smart contract would, this new smart contract would enable the attacker to drain all of the user's funds from their wallet.<blockquote>"The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."</blockquote>Smart Contracts Used:<ref name=":11">[https://etherscan.io/address/0xf403a2c10b0b9fef8f0d4f931df5d86ad187ae31 Vanity Phishing Smart Contract 0xF403...AE31 - Etherscan] (Dec 7, 2o23)</ref>

	=== Use of Vanity Ethereum Addresses ===		=== Use of Vanity Ethereum Addresses ===
Line 257:		Line 257:

	And because @MetaMask only shows the first and last few characters, and so you only checked the first and last few characters, I was able to make you interact with another address that just so happens to begin and end the same way you expected it to.</blockquote>		And because @MetaMask only shows the first and last few characters, and so you only checked the first and last few characters, I was able to make you interact with another address that just so happens to begin and end the same way you expected it to.</blockquote>

			=== Blockchain Analytics ===
			Various notable addresses and transactions from Etherscan for further research/analysis:

			<ref>[https://etherscan.io/tx/0x4e2973f8ca8038a85b798cc7fa93db62064d6053c757730a5be656c17104d611 Transaction Creating 0xdd49....c82b - Etherscan] (Feb 27, 2023)</ref><ref>[https://etherscan.io/txs?a=0x56d3191ee65f1f76e4e902ec983c6420398d49c8 Transactions By Wallet 0x56d3...49c8 (Fake_Phishing5851) - Etherscan] (Dec 27, 2023)</ref><ref>[https://etherscan.io/address/0x4e1256734882c3deff95e963b6a0a658bb88899a Address 0x4e12...899a Who Created 0xf403...ae31 - Etherscan] (Dec 28, 2023)</ref><ref name=":11" /><ref name="etherscanattackeraddress1-8877" /><ref>[https://etherscan.io/token/0x4e3fbd56cd56c3e72c1403e103b45db9da5b9d2b?a=0xcdc0f019f0ec0a903ca689e2bced3996efc53939 Convex Finance Tokens Received By Convex & Ribbon Phisher - Etherscan] (Dec 28, 2023)</ref>

			Malicious Contracts:

			* The first malicious contract 0x65a8...3b2f<ref name=":9" /> was created by wallet 0x5622...781a<ref name=":10" /><ref name=":8" />.

			* The final

	== Total Amount Lost ==		== Total Amount Lost ==
Line 346:		Line 357:
	<ref name="convexfinancepleasereviewtwitter-8875">[https://twitter.com/ConvexFinance/status/1540068029920432128 @ConvexFinance - "Please review approvals while we evaluate a potential front end issue." - Twitter] (Aug 23, 2022)</ref>		<ref name="convexfinancepleasereviewtwitter-8875">[https://twitter.com/ConvexFinance/status/1540068029920432128 @ConvexFinance - "Please review approvals while we evaluate a potential front end issue." - Twitter] (Aug 23, 2022)</ref>
	<ref name="convexfinancerevokecashtwitter-8876">[https://twitter.com/ConvexFinance/status/1540330182300540928 @ConvexFinance - "it is recommended that all users who've interacted with the Convex website in the past week review their approvals" - Twitter] (Aug 23, 2022)</ref>		<ref name="convexfinancerevokecashtwitter-8876">[https://twitter.com/ConvexFinance/status/1540330182300540928 @ConvexFinance - "it is recommended that all users who've interacted with the Convex website in the past week review their approvals" - Twitter] (Aug 23, 2022)</ref>
	<ref name="etherscanattackeraddress1-8877">[https://etherscan.io/address/0xb73261481064f717a63e6f295d917c28385af9aa Convex & Ribbon Phisher ~~Address \|~~ Etherscan] (Aug 23, 2022)</ref>		<ref name="etherscanattackeraddress1-8877">[https://etherscan.io/address/0xb73261481064f717a63e6f295d917c28385af9aa Address 0xB732...F9Aa (Convex & Ribbon Phisher) - Etherscan] (Aug 23, 2022)</ref>
	<ref name="etherscanattackeraddress2-8878">[https://etherscan.io/address/0x72a1a639c69f8002f035a7dc231d634d74e6b86e Malicious Smart Contract - Etherscan] (Aug 23, 2022)</ref>		<ref name="etherscanattackeraddress2-8878">[https://etherscan.io/address/0x72a1a639c69f8002f035a7dc231d634d74e6b86e Malicious Smart Contract - Etherscan] (Aug 23, 2022)</ref>
	<ref name="etherscanattackeraddress3-8879">[https://etherscan.io/address/0x56d3191ee65f1f76e4e902ec983c6420398d49c8 First Attack Address "Fake_Phishing5851" - 0x56d3191ee65f1f76e4e902ec983c6420398d49c8 \| Etherscan] (Aug 23, 2022)</ref>		<ref name="etherscanattackeraddress3-8879">[https://etherscan.io/address/0x56d3191ee65f1f76e4e902ec983c6420398d49c8 First Attack Address "Fake_Phishing5851" - 0x56d3191ee65f1f76e4e902ec983c6420398d49c8 \| Etherscan] (Aug 23, 2022)</ref>

Azoundria: miscellaneous

2023-12-27T20:10:40Z

miscellaneous

← Older revision		Revision as of 14:10, 27 December 2023
Line 2:		Line 2:

	== About Convex Finance ==		== About Convex Finance ==
	Convex Finance is a platform designed to enhance rewards for CRV stakers and liquidity providers on Curve~~.fi~~<ref name="convexfinancewebsite-8871" />. It simplifies staking on Curve and the CRV-locking system through its native fee-earning token, CVX<ref name="coinmarketcapconvex-8901" />. The platform enables Curve.fi liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves<ref name="convexfinancewebsite-8871" /><ref name="convexfinancewhyconvex-8872" />. Users can deposit Curve LP tokens to earn Curve trading fees, boosted CRV, and CVX tokens, with the boost being pooled from CRV stakers<ref name="convexfinancewebsite-8871" /><ref name="justincbramtutorialtwitter-8897" />. Convex Finance aims to make the staking process accessible to a wider audience, providing an easy-to-use interface for both experienced and novice users<ref name="convexfinancewebsite-8871" /><ref name="coinmarketcapcrv-8902" />. Notably, Convex Finance holds the majority of Curve Finance's CRV tokens in circulation, contributing significantly to the decentralized economy's liquidity<ref name="convexfinancewhyconvex-8872" />.		Convex Finance is a platform designed to enhance rewards for CRV stakers and liquidity providers on Curve Finance<ref name="convexfinancewebsite-8871" />. It simplifies staking on Curve and the CRV-locking system through its native fee-earning token, CVX<ref name="coinmarketcapconvex-8901" />. The platform enables Curve.fi liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves<ref name="convexfinancewebsite-8871" /><ref name="convexfinancewhyconvex-8872" />. Users can deposit Curve LP tokens to earn Curve trading fees, boosted CRV, and CVX tokens, with the boost being pooled from CRV stakers<ref name="convexfinancewebsite-8871" /><ref name="justincbramtutorialtwitter-8897" />. Convex Finance aims to make the staking process accessible to a wider audience, providing an easy-to-use interface for both experienced and novice users<ref name="convexfinancewebsite-8871" /><ref name="coinmarketcapcrv-8902" />. Notably, Convex Finance holds the majority of Curve Finance's CRV tokens in circulation, contributing significantly to the decentralized economy's liquidity<ref name="convexfinancewhyconvex-8872" />.

	Convex Finance launched on April 15th, 2021<ref name="convexfinancemedium-8900" /><ref name="convexfinancelaunchtwitter-8899" />, and quickly gained traction with over 17m CRV tokens staked within the first 2 weeks<ref name="convexfinancesuccesstwitter-8898" />. The Convex Finance protocol was audited by MixBytes<ref name="mixbytesaudit-8873" />.		Convex Finance launched on April 15th, 2021<ref name="convexfinancemedium-8900" /><ref name="convexfinancelaunchtwitter-8899" />, and quickly gained traction with over 17m CRV tokens staked within the first 2 weeks<ref name="convexfinancesuccesstwitter-8898" />. The Convex Finance protocol was audited by MixBytes<ref name="mixbytesaudit-8873" />.
Line 358:		Line 358:
	<ref name="knownapprovalsfromdnshijack-8887">[https://pastebin.com/qVwcBbWh Known Approvals From Convex Finance - Pastebin.com] (Aug 24, 2022)</ref>		<ref name="knownapprovalsfromdnshijack-8887">[https://pastebin.com/qVwcBbWh Known Approvals From Convex Finance - Pastebin.com] (Aug 24, 2022)</ref>
	<ref name="flubdubstertwitter1-8888">[https://twitter.com/flubdubster/status/1540437959899578369 flubdubster - "You called them out…here is their response You tried to safe some bucks…don’t blame them. It’s obvious that major DeFi products shouldn’t take the free plan. Don’t blame, own." - Twitter] (Aug 24, 2022)</ref>		<ref name="flubdubstertwitter1-8888">[https://twitter.com/flubdubster/status/1540437959899578369 flubdubster - "You called them out…here is their response You tried to safe some bucks…don’t blame them. It’s obvious that major DeFi products shouldn’t take the free plan. Don’t blame, own." - Twitter] (Aug 24, 2022)</ref>
	<ref name="namecheapceotwitter2-8889">[https://twitter.com/NamecheapCEO/status/1540384617206890496 <nowiki>~~@NamecheapCEO~~ "If you want complete security use [Domain Vault]" - Twitter</nowiki>] (Aug 24, 2022)</ref>		<ref name="namecheapceotwitter2-8889">[https://twitter.com/NamecheapCEO/status/1540384617206890496 <nowiki>Richard Kirkendall - "If you want complete security use [Domain Vault]" - Twitter</nowiki>] (Aug 24, 2022)</ref>
	<ref name="flubdubstertwitter2-8890">[https://twitter.com/flubdubster/status/1540436967711801344 flubdubster - "Is it true an additional 20$/month bill could have prevented this tweet?" - Twitter] (Aug 24, 2022)</ref>		<ref name="flubdubstertwitter2-8890">[https://twitter.com/flubdubster/status/1540436967711801344 flubdubster - "Is it true an additional 20$/month bill could have prevented this tweet?" - Twitter] (Aug 24, 2022)</ref>
	<ref name="flubdubstertwitter3-8891">[https://twitter.com/flubdubster/status/1540438847791812610 flubdubster - "They were on the free plan. A mere 20 bucks / month would have prevented this attack." - Twitter] (Aug 24, 2022)</ref>		<ref name="flubdubstertwitter3-8891">[https://twitter.com/flubdubster/status/1540438847791812610 flubdubster - "They were on the free plan. A mere 20 bucks / month would have prevented this attack." - Twitter] (Aug 24, 2022)</ref>

Azoundria: Another 30 minutes complete. Source names improved. Lots of minor revisions completed throughout the entire page.

2023-12-19T22:26:53Z

Another 30 minutes complete. Source names improved. Lots of minor revisions completed throughout the entire page.

Show changes

Azoundria: Another 30 minutes complete. Additional sources merged in. Information moved around.

2023-12-07T23:20:11Z

Another 30 minutes complete. Additional sources merged in. Information moved around.

← Older revision		Revision as of 17:20, 7 December 2023
Line 1:		Line 1:
	[[File:Convexfinance.jpg\|thumb\|Convex Finance]]Convex Finance is a tool to increase rewards for stakers and liquidity providers on the ~~curve~~ protocol. The service used NameCheap to host their primary domain where customers would interact with the service. On June 23rd, a request was made to change the DNS settings on ~~their~~ domain name~~, which was believed to be due to a vulnerability in NameCheap~~. This redirected the website to a phishing version, which looked identical to main version but requested approval on a new smart contract with a similar address. The new smart contract allowed the attacker to steal approved funds and was active on the site for a few hours, plus DNS propagation time. While at least 40 wallet addresses gave approvals, it appears that only a limited number of tokens were taken from those wallets. The Convex Finance team has agreed to reimburse all affected users from their treasury.		[[File:Convexfinance.jpg\|thumb\|Convex Finance Homepage]]Convex Finance is a tool to increase rewards for stakers and liquidity providers on the Curve Finance protocol. The service used NameCheap to host their primary domain where customers would interact with the service. On June 23rd, a NameCheap support agent had their account breached, and a request was made to change the DNS settings on the Convex Finance domain name. This redirected the website to a phishing version, which looked identical to main version but requested approval on a new smart contract with a similar address. The new smart contract allowed the attacker to steal approved funds and was active on the site for a few hours, plus DNS propagation time. While at least 40 wallet addresses gave approvals, it appears that only a limited number of tokens were taken from those wallets. The Convex Finance team has agreed to reimburse all affected users from their treasury.

	== About Convex Finance ==		== About Convex Finance ==
Line 30:		Line 30:

	== What Happened ==		== What Happened ==
	~~The account of~~ a customer support agent for NameCheap ~~was believed to be hacked~~<ref name="namecheapceotwitter3-10566" />.		After breaching a customer support agent for NameCheap<ref name="namecheapceotwitter1-8884" /><ref name="namecheapceotwitter3-10566" />, an attacker modified the DNS settings for multiple high profile decentralized protocols with domain names registered there, including Convex Finance, [[Ribbon Finance Malicious DNS Hijack\|Ribbon Finance]], [[DeFi Saver Malicious DNS Hijack\|Defi Saver]], and [[AllBridge Malicious DNS Hijack\|AllBridge]]<ref name=":7">[https://www.trustnodes.com/2022/06/25/defi-dapps-dns-attacked DeFi Dapps DNS Attacked - TrustNodes] (Feb 25, 2024)</ref> to point to a phishing server with a similar front-end. This front-end requested approval for a smart contract which had the same first and last 4 characters as the official smart contract address of Convex Finance<ref name="stefanpatatutwitter-8881" />, and could drain funds from the wallets of any approving users.

	~~This allowed the~~ attacker ~~to modify~~ the DNS settings for multiple high profile decentralized protocols with domain names registered there, including Convex Finance, [[Ribbon Finance Malicious DNS Hijack\|Ribbon Finance]], [[DeFi Saver Malicious DNS Hijack\|Defi Saver]], and [[AllBridge Malicious DNS Hijack\|AllBridge]]<ref>[https://www.trustnodes.com/2022/06/25/defi-dapps-dns-attacked DeFi Dapps DNS Attacked - TrustNodes] (Feb 25, 2024)</ref>. The attacker was able to override any 2-factor authentication, passwords, and security alert settings<ref>[https://twitter.com/DeFiSaver/status/1540300789901627392 DeFiSaver - "Same as with others, strong passwords and 2fa were used and we don't recognise security factors on our end that could have led to this." - Twitter] (Mar 23, 2023)</ref><ref>[https://twitter.com/DeFiSaver/status/1540311188462080003 DefiSaver - "We certainly did use 2FA, as mentioned and as did other teams." - Twitter] (Mar 23, 2023)</ref><ref name=":5" />.

	~~The domain names were modified~~ to point to a server with a similar front-end~~, which~~ requested an approval for a smart contract which had the same first and last 4 characters as the official smart contract address of Convex Finance<ref name="stefanpatatutwitter-8881" />~~. However~~, ~~this smart contract would enable the attacker to~~ drain ~~all of the user's~~ funds from ~~their wallet.<blockquote>"The attacker was able to access~~ the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts.~~"</blockquote>~~
	{\| class="wikitable"		{\| class="wikitable"
	\|+Key Event Timeline - Convex Finance Malicious DNS Hijack		\|+Key Event Timeline - Convex Finance Malicious DNS Hijack
Line 56:		Line 52:
	\|First Malicious Contract		\|First Malicious Contract
	\|The very first smart contract is created by a wallet controlled from the attacker<ref>[https://etherscan.io/tx/0x50e6924604c8b1e1f8096f01aca0b35836c7d168fc0e99631f43d683717b13b5 First Smart Contract Creation - EtherScan] (Feb 23, 2023)</ref>.		\|The very first smart contract is created by a wallet controlled from the attacker<ref>[https://etherscan.io/tx/0x50e6924604c8b1e1f8096f01aca0b35836c7d168fc0e99631f43d683717b13b5 First Smart Contract Creation - EtherScan] (Feb 23, 2023)</ref>.
			\|-
			\|June 20th, 2022 7:11:15 AM MDT
			\|Transfer CRV To Contract
			\|160.996854988110785532 CRV is transferred to phishing Ethereum address 0xcdc0f019f0ec0a903ca689e2bced3996efc53939<ref>[https://etherscan.io/tx/0xcd2b5c5a6c6b967fa8ab694fa29f2c02f610ffcbaa09ce342c63f14c1ae26b0b Transfer of 160.996854988110785532 CRV To Attacker - Etherscan] (Dec 7, 2023)</ref>.
	\|-		\|-
	\|June 20th, 2022 7:26:48 AM		\|June 20th, 2022 7:26:48 AM
Line 91:		Line 91:
	\|June 23rd, 2022 3:54:00 PM		\|June 23rd, 2022 3:54:00 PM
	\|Bret Woods Suggestion		\|Bret Woods Suggestion
	\|Twitter user Bret Woods (@fewture) posts that "[w]e're seeing hackers create addresses that match the first 4 and last 4 characters". His suggestion is to run the same transaction with "the gas SUPER LOW. Like 5 gwei. Your transaction won't go through, but it will populate on @etherscan where it is much easier to click through and make sure it's doing what you intended to do"<ref name=":0">[https://twitter.com/fewture/status/1540090921034940416 <nowiki>Bret Woods (@fewture) - ""[w]e're seeing hackers create addresses that match the first 4 and last 4 characters" - Twitter</nowiki>] (Feb 22, 2023)</ref>.		\|Twitter user Bret Woods (@fewture) posts that "[w]e're seeing hackers create addresses that match the first 4 and last 4 characters". His suggestion is to run the same transaction with "the gas SUPER LOW. Like 5 gwei. Your transaction won't go through, but it will populate on @etherscan where it is much easier to click through and make sure it's doing what you intended to do"<ref name=":0">[https://twitter.com/fewture/status/1540090921034940416 <nowiki>Bret Woods (@fewture) - "[w]e're seeing hackers create addresses that match the first 4 and last 4 characters" - Twitter</nowiki>] (Feb 22, 2023)</ref>.
	\|-		\|-
	\|June 23rd, 2022 4:20:00 PM MDT		\|June 23rd, 2022 4:20:00 PM MDT
Line 183:		Line 183:

	== Technical Details ==		== Technical Details ==
			The account of a customer support agent for NameCheap<ref name="namecheapceotwitter1-8884" /> was believed to be hacked<ref name="namecheapceotwitter3-10566" />.

			This allowed the attacker to modify the DNS settings for multiple high profile decentralized protocols with domain names registered there, including Convex Finance, [[Ribbon Finance Malicious DNS Hijack\|Ribbon Finance]], [[DeFi Saver Malicious DNS Hijack\|Defi Saver]], and [[AllBridge Malicious DNS Hijack\|AllBridge]]<ref name=":7" />. The attacker was able to override any 2-factor authentication, passwords, and security alert settings<ref>[https://twitter.com/DeFiSaver/status/1540300789901627392 DeFiSaver - "Same as with others, strong passwords and 2fa were used and we don't recognise security factors on our end that could have led to this." - Twitter] (Mar 23, 2023)</ref><ref>[https://twitter.com/DeFiSaver/status/1540311188462080003 DefiSaver - "We certainly did use 2FA, as mentioned and as did other teams." - Twitter] (Mar 23, 2023)</ref><ref name=":5" />.

			The domain names were modified to point to a server with a similar front-end, which requested an approval for vanity smart contracts which had the same first and last 4 characters as the official smart contract address of Convex Finance<ref name="stefanpatatutwitter-8881" />. However, instead of function as the standard Convex Finance smart contract, this smart contract would enable the attacker to drain all of the user's funds from their wallet.<blockquote>"The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."</blockquote>Smart Contracts Used:<ref>[https://etherscan.io/address/0xf403a2c10b0b9fef8f0d4f931df5d86ad187ae31 Vanity Phishing Smart Contract - Etherscan] (Dec 7, 2o23)</ref>

	=== Use of Vanity Ethereum Addresses ===		=== Use of Vanity Ethereum Addresses ===
Line 273:		Line 278:
	The situation was initially reported and detailed by Twitter users @HarukoTech<ref name="harukotechdifferentcontracts-8895" /> and Bret Woods (@fewture)<ref name=":0" />. These users provided a complex analysis of the transactions and a guide on a work around to validate transactions on hardware devices by using smaller transaction fees<ref name="harukotechdifferentcontracts-8895" /><ref name=":0" />.		The situation was initially reported and detailed by Twitter users @HarukoTech<ref name="harukotechdifferentcontracts-8895" /> and Bret Woods (@fewture)<ref name=":0" />. These users provided a complex analysis of the transactions and a guide on a work around to validate transactions on hardware devices by using smaller transaction fees<ref name="harukotechdifferentcontracts-8895" /><ref name=":0" />.

	A Telegram group was set up for communication between the different affected protocols<ref name=":42">[https://twitter.com/0xLlam4/status/1540303906215010304 @0xLlam4 - "on TG, can add you into a group with affected protocols" - Twitter] (Feb 27, 2023)</ref>.		It was quickly realized that multiple protocols were affected by the exploit. A Telegram group was set up for communication between the different affected protocols<ref name=":42">[https://twitter.com/0xLlam4/status/1540303906215010304 @0xLlam4 - "on TG, can add you into a group with affected protocols" - Twitter] (Feb 27, 2023)</ref>.

	Shortly after this, the Convex Finance team posted to announce that they had restored the domain name to the original settings and provided a list of affected users<ref name="convexannouncesdnshijacktwitter-8893" />.		Shortly after this, the Convex Finance team posted to announce that they had restored the domain name to the original settings and provided a list of affected users<ref name="convexannouncesdnshijacktwitter-8893" />.
Line 279:		Line 284:
	<blockquote>Investigation is still ongoing, but a quick update for the community:		<blockquote>Investigation is still ongoing, but a quick update for the community:
	- DNS for http://convexfinance.com was hijacked, prompting users to approve malicious contracts for some interactions on the site.		- DNS for http://convexfinance.com was hijacked, prompting users to approve malicious contracts for some interactions on the site.

	- Funds on verified contracts are unaffected.		- Funds on verified contracts are unaffected.

	- Issue is remediated at this time, but investigation is ongoing. Full post-mortem to follow.		- Issue is remediated at this time, but investigation is ongoing. Full post-mortem to follow.

	At this time, 5 addresses seem to have approved malicious contracts (in the tweet below). If you are the owner of one of these addresses, please reach out via Twitter DM or Discord.</blockquote>However, the nature of DNS is such that propagation of settings requires time and blockchain data shows that the most significant affected user thefts happened after this notice<ref name=":1" /><ref name=":2" />.		At this time, 5 addresses seem to have approved malicious contracts (in the tweet below). If you are the owner of one of these addresses, please reach out via Twitter DM or Discord.</blockquote>However, the nature of DNS is such that propagation of settings requires time and blockchain data shows that the most significant affected user thefts happened after this notice, which described the situation as "remediated"<ref name=":1" /><ref name=":2" />.

	== Ultimate Outcome ==		== Ultimate Outcome ==
Line 301:		Line 308:

	== Ongoing Developments ==		== Ongoing Developments ==
	Lost funds were covered for users by the Convex Finance protocol form their treasury<ref name="convexpostmortem-8882" />. It remains to be seen whether ~~such a small amount~~ will be successfully located and recovered from the ~~thieves~~.		Lost funds were covered for users by the Convex Finance protocol form their treasury<ref name="convexpostmortem-8882" />. It remains to be seen whether any of the proceeds will be successfully located and recovered from the hackers.

	== Individual Prevention Policies ==		== Individual Prevention Policies ==

Azoundria: Another 30 minutes complete.

2023-07-21T17:42:33Z

Another 30 minutes complete.

@@ Line 92: / Line 92: @@
 |Bret Woods Suggestion
 |Twitter user Bret Woods (@fewture) posts that "[w]e're seeing hackers create addresses that match the first 4 and last 4 characters". His suggestion is to run the same transaction with "the gas SUPER LOW. Like 5 gwei. Your transaction won't go through, but it will populate on @etherscan where it is much easier to click through and make sure it's doing what you intended to do"<ref name=":0">[https://twitter.com/fewture/status/1540090921034940416 <nowiki>Bret Woods (@fewture) - ""[w]e're seeing hackers create addresses that match the first 4 and last 4 characters" - Twitter</nowiki>] (Feb 22, 2023)</ref>.
 |-
 |June 23rd, 2022 4:46:00 PM
@@ Line 108: / Line 112: @@
 |Alternative Domains
 |Convex Finance posts on Twitter recommending users to use some alternative domain names to access the smart contract<ref name="convexfinancealternatedomains-8883" />.
 |-
 |June 24th, 2022 6:00:00 AM
@@ Line 173: / Line 181: @@
 |NameCheap decides to offer two different Domain Vault services from "Silver" tier at $1.88/mo<ref name="namecheapdomainvault6-10571" /> to "Titanium" tier at $19.88/mo<ref name="namecheapdomainvault7-10572" />.
 |}
 == Total Amount Lost ==

Azoundria: Fixing Nalin Gupta, and adding speculation about further domains.

2023-04-02T05:50:17Z

Fixing Nalin Gupta, and adding speculation about further domains.

← Older revision		Revision as of 23:50, 1 April 2023
Line 119:		Line 119:
	\|June 24th, 2022 7:00:00 AM MDT		\|June 24th, 2022 7:00:00 AM MDT
	\|Attacks Reported With Screenshots		\|Attacks Reported With Screenshots
	\|Twitter user ~~Nathan~~ Gupta is the first to publicly provide screenshots of all 4 DNS attacks in a single thread<ref>[https://twitter.com/nalingupta01/status/1540319012067737600 ~~Nathan~~ Gupta - "4 DeFi projects have experienced a DNS hijack attack" - Twitter] (Apr 1, 2023)</ref>.		\|Twitter user Nalin Gupta is the first to publicly provide screenshots of all 4 DNS attacks in a single thread<ref>[https://twitter.com/nalingupta01/status/1540319012067737600 Nalin Gupta - "4 DeFi projects have experienced a DNS hijack attack" - Twitter] (Apr 1, 2023)</ref>.
			\|-
			\|June 24th, 2022 7:24:00 AM MDT
			\|Speculation About Further Domains
			\|Further speculation arises that some other domains may be related<ref>[https://twitter.com/nalingupta01/status/1540325110720380928 <nowiki>Nalin Gupta - "It does seem some others might be affected tho[ugh]" - Twitter</nowiki>] (Apr 1, 2023)</ref>. The list referenced are cryptocurrency phishing websites and it does not appear that any of those domains are related to the DNS attack<ref>[https://twitter.com/idclickthat/status/1540200001112096768 idclickthat - "crypto phish" - Twitter] (Apr 1, 2023)</ref>.
	\|-		\|-
	\|June 24th, 2022 7:29:00 AM		\|June 24th, 2022 7:29:00 AM

Azoundria: nothing to worry about quote

2023-04-02T04:09:09Z

nothing to worry about quote

← Older revision		Revision as of 22:09, 1 April 2023
Line 136:		Line 136:
	\|Free DomainVault Monitoring		\|Free DomainVault Monitoring
	\|NameCheap's CEO expands the original tweet to say that they "would like to offer [affected services their] Domain Vault service for free and [they] will also place all affected domains on the highest security monitoring"<ref name=":4">[https://twitter.com/NamecheapCEO/status/1540364947611422722 @NamecheapCEO - "we would like to offer you our Domain Vault service for free and we will also place all affected domains on the highest security monitoring" - Twitter] (Feb 24, 2023)</ref>.		\|NameCheap's CEO expands the original tweet to say that they "would like to offer [affected services their] Domain Vault service for free and [they] will also place all affected domains on the highest security monitoring"<ref name=":4">[https://twitter.com/NamecheapCEO/status/1540364947611422722 @NamecheapCEO - "we would like to offer you our Domain Vault service for free and we will also place all affected domains on the highest security monitoring" - Twitter] (Feb 24, 2023)</ref>.
			\|-
			\|June 24th, 2022 10:32:00 AM MDT
			\|Nothing To Worry About
			\|NameCheap assures via Twitter that "[t]here is nothing to worry about" and they will "keep investigating"<ref>[https://twitter.com/Namecheap/status/1540372203627216898 NameCheap - "There is nothing to worry about; we keep investigating" - Twitter] (Apr 1, 2023)</ref>.
	\|-		\|-
	\|June 24th, 2022 11:21:00 AM		\|June 24th, 2022 11:21:00 AM

Azoundria: Tweet used as support for 2FA being employed too.

2023-04-01T20:55:23Z

Tweet used as support for 2FA being employed too.

← Older revision		Revision as of 14:55, 1 April 2023
Line 32:		Line 32:
	The account of a customer support agent for NameCheap was believed to be hacked<ref name="namecheapceotwitter3-10566" />.		The account of a customer support agent for NameCheap was believed to be hacked<ref name="namecheapceotwitter3-10566" />.

	This allowed the attacker to modify the DNS settings for multiple high profile decentralized protocols with domain names registered there, including Convex Finance, [[Ribbon Finance Malicious DNS Hijack\|Ribbon Finance]], [[DeFi Saver Malicious DNS Hijack\|Defi Saver]], and [[AllBridge Malicious DNS Hijack\|AllBridge]]<ref>[https://www.trustnodes.com/2022/06/25/defi-dapps-dns-attacked DeFi Dapps DNS Attacked - TrustNodes] (Feb 25, 2024)</ref>. The attacker was able to override any 2-factor authentication, passwords, and security alert settings<ref>[https://twitter.com/DeFiSaver/status/1540300789901627392 DeFiSaver - "Same as with others, strong passwords and 2fa were used and we don't recognise security factors on our end that could have led to this." - Twitter] (Mar 23, 2023)</ref><ref>[https://twitter.com/DeFiSaver/status/1540311188462080003 DefiSaver - "We certainly did use 2FA, as mentioned and as did other teams." - Twitter] (Mar 23, 2023)</ref>.		This allowed the attacker to modify the DNS settings for multiple high profile decentralized protocols with domain names registered there, including Convex Finance, [[Ribbon Finance Malicious DNS Hijack\|Ribbon Finance]], [[DeFi Saver Malicious DNS Hijack\|Defi Saver]], and [[AllBridge Malicious DNS Hijack\|AllBridge]]<ref>[https://www.trustnodes.com/2022/06/25/defi-dapps-dns-attacked DeFi Dapps DNS Attacked - TrustNodes] (Feb 25, 2024)</ref>. The attacker was able to override any 2-factor authentication, passwords, and security alert settings<ref>[https://twitter.com/DeFiSaver/status/1540300789901627392 DeFiSaver - "Same as with others, strong passwords and 2fa were used and we don't recognise security factors on our end that could have led to this." - Twitter] (Mar 23, 2023)</ref><ref>[https://twitter.com/DeFiSaver/status/1540311188462080003 DefiSaver - "We certainly did use 2FA, as mentioned and as did other teams." - Twitter] (Mar 23, 2023)</ref><ref name=":5" />.

	The domain names were modified to point to a server with a similar front-end, which requested an approval for a smart contract which had the same first and last 4 characters as the official smart contract address of Convex Finance<ref name="stefanpatatutwitter-8881" />. However, this smart contract would enable the attacker to drain all of the user's funds from their wallet.<blockquote>"The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."</blockquote>		The domain names were modified to point to a server with a similar front-end, which requested an approval for a smart contract which had the same first and last 4 characters as the official smart contract address of Convex Finance<ref name="stefanpatatutwitter-8881" />. However, this smart contract would enable the attacker to drain all of the user's funds from their wallet.<blockquote>"The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."</blockquote>
Line 115:		Line 115:
	\|June 24th, 2022 6:14:00 AM MDT		\|June 24th, 2022 6:14:00 AM MDT
	\|All Attacks Reported Together		\|All Attacks Reported Together
	\|All 4 "DNS exploit[s]" with "illicit vanity contracts" are reported by Twitter user CryptoCondom. He also mentioned that all protocols were using 2FA<ref>[https://twitter.com/crypto_condom/status/1540307373713129474 CryptoCondom - "A multi-platform DNS exploit appears to have occurred this week w/illicit vanity contracts" - Twitter] (Apr 1, 2023)</ref>.		\|All 4 "DNS exploit[s]" with "illicit vanity contracts" are reported by Twitter user CryptoCondom. He also mentioned that all protocols were using 2FA<ref name=":5">[https://twitter.com/crypto_condom/status/1540307373713129474 CryptoCondom - "A multi-platform DNS exploit appears to have occurred this week w/illicit vanity contracts" - Twitter] (Apr 1, 2023)</ref>.
	\|-		\|-
	\|June 24th, 2022 7:00:00 AM MDT		\|June 24th, 2022 7:00:00 AM MDT

Azoundria: Attacks reported together updated again with another Twitter post.

2023-04-01T20:52:59Z

Attacks reported together updated again with another Twitter post.

← Older revision		Revision as of 14:52, 1 April 2023
Line 112:		Line 112:
	\|Telegram Group Operating		\|Telegram Group Operating
	\|A Telegram group has reportedly been set up for communication and coordination between the different affected protocols<ref name=":43">[https://twitter.com/0xLlam4/status/1540303906215010304 @0xLlam4 - "on TG, can add you into a group with affected protocols" - Twitter] (Feb 27, 2023)</ref>.		\|A Telegram group has reportedly been set up for communication and coordination between the different affected protocols<ref name=":43">[https://twitter.com/0xLlam4/status/1540303906215010304 @0xLlam4 - "on TG, can add you into a group with affected protocols" - Twitter] (Feb 27, 2023)</ref>.
			\|-
			\|June 24th, 2022 6:14:00 AM MDT
			\|All Attacks Reported Together
			\|All 4 "DNS exploit[s]" with "illicit vanity contracts" are reported by Twitter user CryptoCondom. He also mentioned that all protocols were using 2FA<ref>[https://twitter.com/crypto_condom/status/1540307373713129474 CryptoCondom - "A multi-platform DNS exploit appears to have occurred this week w/illicit vanity contracts" - Twitter] (Apr 1, 2023)</ref>.
	\|-		\|-
	\|June 24th, 2022 7:00:00 AM MDT		\|June 24th, 2022 7:00:00 AM MDT
	\|~~All~~ Attacks Reported ~~Together~~		\|Attacks Reported With Screenshots
	\|Twitter user Nathan Gupta is the first to publicly ~~report~~ all 4 DNS attacks in a single thread<ref>[https://twitter.com/nalingupta01/status/1540319012067737600 Nathan Gupta - "4 DeFi projects have experienced a DNS hijack attack" - Twitter] (Apr 1, 2023)</ref>.		\|Twitter user Nathan Gupta is the first to publicly provide screenshots of all 4 DNS attacks in a single thread<ref>[https://twitter.com/nalingupta01/status/1540319012067737600 Nathan Gupta - "4 DeFi projects have experienced a DNS hijack attack" - Twitter] (Apr 1, 2023)</ref>.
	\|-		\|-
	\|June 24th, 2022 7:29:00 AM		\|June 24th, 2022 7:29:00 AM