DYdX Exchange DNS Hijacking Attack - Revision history

Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/dydxexchangednshijackingattack.php}} {{Unattributed Sources}} dYdX Logo/Homepage
2024-10-25T20:04:43Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/dydxexchangednshijackingattack.php}} {{Unattributed Sources}} thumb|dYdX Logo/Homepage<ref name="slowmisthackedarchive-15180" /><ref name="dydx-15181" /><ref name="dydx-15182" /><ref name="llamaonthebrinktwitter-15183" /><ref name="open4profittwitter-15184" /><ref name="lawrencechiu14twitter-15185" /><ref name="dydxtwitter-15186" /><ref name="dydxtwitter-15187" /><ref..."

New page
{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/dydxexchangednshijackingattack.php}}
{{Unattributed Sources}}

[[File:Dydx.jpg|thumb|dYdX Logo/Homepage]]<ref name="slowmisthackedarchive-15180" /><ref name="dydx-15181" /><ref name="dydx-15182" /><ref name="llamaonthebrinktwitter-15183" /><ref name="open4profittwitter-15184" /><ref name="lawrencechiu14twitter-15185" /><ref name="dydxtwitter-15186" /><ref name="dydxtwitter-15187" /><ref name="wazzupcryptotwitter-15188" /><ref name="derektmckinneytwitter-15189" /><ref name="techflowposttwitter-15190" /><ref name="dydxtwitter-15191" /><ref name="dydxtwitter-15192" /><ref name="dydxtwitter-15193" /><ref name="dydxtwitter-15194" /><ref name="dydxtwitter-15195" /><ref name="goplussecwarextwitter-15196" /><ref name="echoewebtwitter-15197" /><ref name="parrotcoinstwitter-15198" /><ref name="veritasweb3twitter-15199" />

== About dYdX Exchange ==
"Perpetuals, decentralized." "Trade Perpetual Contracts with low fees, deep liquidity, and up to 25× more Buying Power. Deposit just $10 to get started."

"We built the fastest and most powerful decentralized exchange ever." "Once you deposit to Layer 2, you will no longer pay fees to miners for each transaction." "Trades are executed instantly and confirmed on the blockchain within hours." "Unlike other platforms, there is no wait required to withdraw your funds from Layer 2." "We've redesigned our exchange from the ground up, so you can use it from any device." "StarkWare's Layer 2 solution provides increased security & privacy via zero-knowledge rollups." "Access leverage across positions in multiple markets from a single account."

"dYdX is the leading DeFi protocol developer for advanced trading. Trade 135 cryptocurrencies with low fees, deep liquidity, and up to 20× buying power."

== The Reality ==
"In 2023, Squarespace acquired the rights to all domains from the now-defunct Google Domains. All domains were migrated over a period of months. The domain dydx.exchange, owned by dYdX Trading, was migrated from Google Domains to Squarespace on June 15, 2024."

"On July 9, while registered with Squarespace, attackers gained access to the dydx.exchange domain, and modified the the DNS Nameservers from Cloudflare to DDoS-Guard. This attack was mitigated by DNSSEC settings that remained set on the registrar. This resulted in would-be-visitors’ browsers failing to authenticate the DNS changes, and correctly blocking users from viewing the page.

dYdX promptly contacted Squarespace customer service during this incident and they restored access to the account quickly according to their account-recovery policies. dYdX ensured that all passwords and 2FA were rotated on Squarespace accounts and that the attacker’s access was fully removed. The attack was completely mitigated and fixed within a couple of hours.

Two days later on July 11, several additional reports of targeted attacks on crypto-specific domains — which had been migrated from Google Domains to Squarespace — were reported. As a result, SEAL, a crypto-focused security team, put together an incident-response team to figure out what was going on, how the attack could be mitigated, and how to get any relevant information to Squarespace itself. At this point, dYdX realized that the earlier incident was likely part of a broader attack against crypto domains, and assisted the investigators. At this time, dYdX also continued to monitor the dydx.exchange domain for any suspicious activity.

On July 14, SEAL published a postmortem on the issue based on their findings, but without much direct information from Squarespace. This postmortem suggested that there were one-or-more technical vulnerabilities in Squarespace that allowed for these attacks to happen.

On July 18, Squarespace posted a longer postmortem which confirmed an exploited security issue with OAuth logins on their site. It included information that the issue was fixed on July 12.

While dYdX decided to change domain registrars, dYdX believed that Squarespace had successfully mitigated the attack and fixed the vulnerability."

== What Happened ==
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
{| class="wikitable"
|+Key Event Timeline - dYdX Exchange DNS Hijacking Attack
!Date
!Event
!Description
|-
|July 23rd, 2024 9:59:00 AM MDT
|Twitter Announcement Post
|The dYdX team posts on Twitter to announce that they are now aware of the hack on the dYdX domain.
|-
|July 23rd, 2024 11:48:00 AM MDT
|Twitter Mention Of Hack
|A mention on Twitter of the hacked website.
|-
|July 23rd, 2024 1:36:00 PM MDT
|Post About Phishing Attack
|A post is made which highlights the attack that took place and the phishing transaction which was requested from users.
|-
|July 23rd, 2024 1:43:00 PM MDT
|Website Noted Restored
|A tweet notes that the website has now been restored and should be safe to use, though users are warned about the potential that their device may have cached the compromised DNS settings.
|-
|July 24th, 2024 10:00:00 PM MDT
|PostMortem Release
|The dYdX Exchange releases a postmortem on the DNS Hijack attack.
|}

== Technical Details ==
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

== Total Amount Lost ==
"Two users were affected, resulting in a loss of approximately $31,000."

"During the roughly 2 hours that the http://dydx.exchange domain was hijacked, 2 users lost funds totaling about $31k. dYdX Trading is in contact with those users and will ensure that they are made whole."

The total amount lost has been estimated at $31,000 USD.

== Immediate Reactions ==

"On July 23, the dydx.exchange domain was discovered to have been compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address."

"On July 23, it was discovered that the dydx.exchange domain was compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. dYdX immediately contacted Squarespace customer support. Squarespace was able to return possession of the domain as well as fix the DNS Nameserver resolution within a couple of hours. The recovery process was delayed for over 30 minutes due to maintenance from one of Squarespace’s third-party vendors which prevented changing the DNS Nameservers back to Cloudflare.

The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address. During this time, dYdX also worked with SEAL and other partners to ensure that popular crypto wallets like Metamask and Phantom would block the site for the duration of the attack. To our knowledge at the time of publishing, 2 users were affected with approximately $31,000 in lost funds due to this attack. dYdX trading is in contact with both affected users and is assisting in securing their wallets and is committed to recovering funds."

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="slowmisthackedarchive-15180">[https://web.archive.org/web/20240826170509/https://hacked.slowmist.io/?c=&page=2 SlowMist Hacked - SlowMist Zone] (Accessed Aug 30, 2024)</ref>

<ref name="dydx-15181">[https://dydx.exchange/blog/dns-nameserver-hijacking-postmortem DNS Nameserver Hijacking Postmortem] (Accessed Aug 30, 2024)</ref>

<ref name="dydx-15182">[https://dydx.exchange/ dYdX - Trade Perpetuals on the most powerful trading platform] (Accessed Aug 30, 2024)</ref>

<ref name="llamaonthebrinktwitter-15183">[https://twitter.com/llamaonthebrink/status/1815797368068956461 @llamaonthebrink Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="open4profittwitter-15184">[https://twitter.com/open4profit/status/1815806190317683145 @open4profit Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="lawrencechiu14twitter-15185">[https://twitter.com/LawrenceChiu14/status/1815833455915143587 @LawrenceChiu14 Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="dydxtwitter-15186">[https://twitter.com/dYdX/status/1815778660453941450 @dYdX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="dydxtwitter-15187">[https://twitter.com/dYdX/status/1815780835473129702 @dYdX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="wazzupcryptotwitter-15188">[https://twitter.com/Wazzup_Crypto/status/1816060698134302908 @Wazzup_Crypto Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="derektmckinneytwitter-15189">[https://twitter.com/DerekTMcKinney/status/1816067961339232513 @DerekTMcKinney Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="techflowposttwitter-15190">[https://twitter.com/TechFlowPost/status/1815930835490726227 @TechFlowPost Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="dydxtwitter-15191">[https://twitter.com/dYdX/status/1816547431791886756 @dYdX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="dydxtwitter-15192">[https://twitter.com/dYdX/status/1816547433691992357 @dYdX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="dydxtwitter-15193">[https://twitter.com/dYdX/status/1815835205334073537 @dYdX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="dydxtwitter-15194">[https://twitter.com/dYdX/status/1815838667258073289 @dYdX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="dydxtwitter-15195">[https://twitter.com/dYdX/status/1815791754756423773 @dYdX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="goplussecwarextwitter-15196">[https://twitter.com/GoPlusSecWareX/status/1816046847737356405 @GoPlusSecWareX Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="echoewebtwitter-15197">[https://twitter.com/Echoeweb/status/1816167063897210882 @Echoeweb Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="parrotcoinstwitter-15198">[https://twitter.com/parrot_coins/status/1816208045480792452 @parrot_coins Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="veritasweb3twitter-15199">[https://twitter.com/veritas_web3/status/1815838427402657933 @veritas_web3 Twitter] (Accessed Aug 30, 2024)</ref></references>