Convex Finance Malicious DNS Hijack: Difference between revisions

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
(→‎Ultimate Outcome: →‎What Happened: The NameCheap CEO ultimately responded on Twitter to explain that there was a hacked or compromised customer support agent and all access was removed from them. He also offered completely free Domain Vault monitoring to all affected services.)
(→‎Immediate Reactions: Initial reports and detailing.)
Line 162: Line 162:
<blockquote>"What is this unverified contract? 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31. [The] @ConvexFinance website is asking for approval for that but the correct one is 0xF403C135812408BFbE8713b5A23a04b3D48AAE31. 4 Starting/Ending Characters are the same. DNS spoofing?"</blockquote>
<blockquote>"What is this unverified contract? 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31. [The] @ConvexFinance website is asking for approval for that but the correct one is 0xF403C135812408BFbE8713b5A23a04b3D48AAE31. 4 Starting/Ending Characters are the same. DNS spoofing?"</blockquote>


The situation was also addressed in the meantime by Twitter users HarukoTech<ref name="harukotechdifferentcontracts-8895" />  with a complex analysis of the transactions and Bret Woods (@fewture)<ref name=":0" /> with a guide on a work around to validate transactions on hardware devices by using smaller transaction fees.
The situation was initially reported and detailed by Twitter users @HarukoTech<ref name="harukotechdifferentcontracts-8895" />  and Bret Woods (@fewture)<ref name=":0" /> . These users provided a complex analysis of the transactions and a guide on a work around to validate transactions on hardware devices by using smaller transaction fees<ref name="harukotechdifferentcontracts-8895" /><ref name=":0" />.


Shortly after this, the Convex Finance team posted to announce that they had restored the domain name to the original settings and provided a list of affected users<ref name="convexannouncesdnshijacktwitter-8893" />.
Shortly after this, the Convex Finance team posted to announce that they had restored the domain name to the original settings and provided a list of affected users<ref name="convexannouncesdnshijacktwitter-8893" />.
Line 171: Line 171:
- Issue is remediated at this time, but investigation is ongoing. Full post-mortem to follow.
- Issue is remediated at this time, but investigation is ongoing. Full post-mortem to follow.


At this time, 5 addresses seem to have approved malicious contracts (in the tweet below). If you are the owner of one of these addresses, please reach out via Twitter DM or Discord.</blockquote>However, the nature of DNS is such that propagation of settings requires time and the most significant affected user thefts happened after this notice<ref name=":1" /><ref name=":2" />.
At this time, 5 addresses seem to have approved malicious contracts (in the tweet below). If you are the owner of one of these addresses, please reach out via Twitter DM or Discord.</blockquote>However, the nature of DNS is such that propagation of settings requires time and blockchain data shows that the most significant affected user thefts happened after this notice<ref name=":1" /><ref name=":2" />.


== Ultimate Outcome ==
== Ultimate Outcome ==

Revision as of 13:28, 24 February 2023

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Convex Finance

Convex Finance is a tool to increase rewards for stakers and liquidity providers on the curve protocol. The service used NameCheap to host their primary domain where customers would interact with the service. On June 23rd, the Convex team was impersonated to NameCheap and a request was made to change the DNS settings on their domain name. This redirected the website to a phishing version, which looked identical to main version but requested approval on a new smart contract with a similar address. The new smart contract allowed the attacker to steal approved funds and was active on the site for a few hours, plus DNS propagation time. While at least 40 wallet addresses gave approvals, it appears that only a limited number of tokens were taken from those wallets. The Convex Finance team has agreed to reimburse all affected users from their treasury.

[1][2][3][4][5][6][7][8][9][10][11]

About Convex Finance

Convex Finance launched on April 15th, 2021[12], and quickly gained traction with over 17m CRV tokens staked in the first 2 weeks[13].

"Introducing Convex Finance, a platform built to boost rewards for CRV stakers and liquidity providers alike, all in a simple and easy to use interface. Convex aims to simplify staking on Curve, as well as the CRV-locking system with the help of its native fee-earning token: CVX."[14][15]

"Convex allows Curve.fi liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves. Liquidity providers can receive boosted CRV and liquidity mining rewards with minimal effort."[14][16]

"Deposit liquidity, earn boosted CRV and rewards." "Deposit your Curve LP tokens to earn Curve trading fees, boosted CRV and CVX tokens. Boost is pooled from CRV stakers so you do not need to worry about locking yourself."[14][17]

"If you’ve ever been a Curve LP, you know it is somewhat non-trivial to maximize your boost by depositing/maintaining your veCRV balance. If you’ve never been a Curve LP, it may be intimidating to do so without being a DeFi power user. Convex aims to make this process easy and bring the CRV boost ecosystem to everyone."[14][18]

"Convex Finance is a notable protocol, as it holds the majority of Curve Finance’s CRV tokens in circulation. Curve Finance—the leading stablecoin automated market maker—provides approximately one-tenth of the decentralized economy’s liquidity in terms of total locked value."[16]

The Convex Finance protocol was audited by MixBytes[19].

The Reality

While the smart contract operates in a decentralized manner, most users will tend to interact with the contracts using transactions generated by a centralized website. When a domain name is accessed on the internet, a service called DNS is used to point the domain name to an IP address[20].

The Convex Finance project used NameCheap for their registrar for their primary website[21]. The procedures at NameCheap were such that support team members were able to override the DNS of the website to point the domain name to a malicious server[22][23][24].

"Convex used NameCheap as it’s domain registrar for convexfinance.com."

NameCheap also offers a "Domain Vault" service for an additional monthly fee, which was fully launched on June 20th, 2022, coincident with the time of the attack[25][26][27].

"Usually we require a [PIN] code from customer. We also monitor all actions as well a[s] monitor a real time [VIP] list. In the end our [customer support] needs to be able to modify to help customers[,] especially when 99% don't understand [DNS]. If you want complete security use [Domain Vault]"

Despite having two-factor authentication and a strong password, Convex Finance was not enrolled in that service.

What Happened

The account of a customer support agent for NameCheap was believed to be hacked[28]. This allowed the attacker to change the DNS settings of multiple high-profile domain names registered there, including Convex Finance.

The domain names were modified to point to a server with a similar front-end, which requested an approval for a smart contract which had the same first and last 4 characters as the official smart contract address of Convex Finance[29]. However, this smart contract would enable the attacker to drain all of the user's funds from their wallet.


"The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."

Key Event Timeline - Convex Finance Malicious DNS Hijack
Date Event Description
April 15th, 2021 6:04:00 AM Convex Finance Launch Convex Finance announces their launch on Twitter[12].
March 22nd, 2022 Domain Vault Announced The first archived appearance of the "Domain Vault" service on NameCheap which costs $19.88/mo and is still "coming soon"[30].
June 20th, 2022 3:05:42 AM First Malicious Contract The very first smart contract is created by a wallet controlled from the attacker[31].
June 20th, 2022 7:26:48 AM Malicious Contract Creation The malicious smart contract 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31 is created[32], which is very similar to the "Convex Finance: Booster" smart contract normally at address 0xF403C135812408BFbE8713b5A23a04b3D48AAE31[33][34].
June 20th, 2022 Domain Vault Launches The NameCheap "Domain Vault" service now switches from "Get early access" to "Get Domain Vault" with the price remaining at $19.88/mo[25][26].
June 23rd, 2022 6:17:41 AM Final Malicious Contract The final malicious smart contract is created by the attacker[35].
June 23rd, 2022 12:39:13 PM Fake CvxLockerV2 Smart Contract A malicious smart contract 0x72a1A639C69F8002F035a7DC231d634D74e6b86E is created[36]. This is very close to the smart contract address of the Convex Locker 2 at 0x72a19342e8F1838460eBFCCEf09F6585e32db86E[37][38].
June 23rd, 2022 1:02:00 PM Alexintosh Tweet The Twitter user @alexintosh reported an abnormal approval requested by the Convex Finance website, with a similar but not exact smart contract address[39][40][41].
June 23rd, 2022 2:23:00 PM Please Review Approvals Convex Finance posts their very first announcement on Twitter, requesting users to "[p]lease review approvals while we evaluate a potential front end issue[42]."
June 23rd, 2022 3:46:00 PM Additional Malicious Contracts Twitter user @HarukoTech describes several malicious contracts which were created against different protocols and that "[t]he attacker seems to be generating similar addresses to well know[n] protocols"[43].
June 23rd, 2022 3:54:00 PM Bret Woods Suggestion Twitter user Bret Woods (@fewture) posts that "[w]e're seeing hackers create addresses that match the first 4 and last 4 characters". His suggestion is to run the same transaction with "the gas SUPER LOW. Like 5 gwei. Your transaction won't go through, but it will populate on @etherscan where it is much easier to click through and make sure it's doing what you intended to do"[44].
June 23rd, 2022 4:46:00 PM Convex Preliminary Convex Finance first posts on Twitter to announce the DNS hijacking. They list 5 addresses which are affected, that investigation is still ongoing, and that the issue is "remediated"[45][41].
June 23rd, 2022 5:03:47 PM cvxCRV Token Theft A blockchain transaction transfers 15,968.95655 cvxCRV tokens to the DNS phishing attacker's wallet[46].
June 23rd, 2022 5:44:25 PM CRV Token Theft A blockchain transaction transfers 433.39359656 CRV tokens to the DNS phishing attacker's wallet[47].
June 23rd, 2022 6:08:00 PM Alternative Domains Convex Finance posts on Twitter recommending users to use some alternative domain names to access the smart contract[48].
June 24th, 2022 7:45:00 AM Recommending Revoking "As a precaution, it is recommended that all users who've interacted with the Convex website in the past week review their approvals as we continue to investigate. Use a tool like http://revoke.cash to remove any malicious or suspicious contracts[49]."
June 24th, 2022 10:01:00 AM NameCheap Response NameCheap's CEO responds on Twitter that they've "traced this down to a specific [customer support] agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating."[50]
June 24th, 2022 10:03:00 AM Free DomainVault Monitoring NameCheap's CEO expands the original tweet to say that they "would like to offer [affected services their] Domain Vault service for free and [they] will also place all affected domains on the highest security monitoring"[51].
June 24th, 2022 11:21:00 AM NameCheap DomainVault "Usually we require a pin code from customer. We also monitor all actions as well a monitor a real time vip list. In the end our [customer support] needs to be able to modify to help customers especially when 99% don't understand [DNS]. If you want complete security use [DomainVault]"[27]
June 24th, 2022 2:12:53 PM Affected List Uploaded The pastebin for the complete list of affected addresses is uploaded by Convex Finance[52].
June 24th, 2022 2:46:00 PM Restored Report Convex Finance posts on Twitter to report that the original domain is back. Original "domain is back to normal operation. DNS is secured and actively monitored." They also share a list of affected addresses.[22][53].
June 24th, 2022 4:16:00 PM NameCheap Clarifies Hack NameCheap responds that it "[l]ooks more like [their customer support] person was hacked."[28]
June 25th, 2022 Domain Vault Discount NameCheap lowers the price of their Domain Vault service from $19.88/mo[54] to $1.88/mo[55].
July 1st, 2022 10:14:00 AM Postmortem Released Convex Finance releases a post-mortem report with further details of what happened, how much was lost, and their compensation plans[56][21].
July 2nd, 2022 Price Segmentation NameCheap decides to offer two different Domain Vault services from "Silver" tier at $1.88/mo[57] to "Titanium" tier at $19.88/mo[58].

Total Amount Lost

Cryptonomist reports that as of June 24th, 2023, "the tally of what the hacker managed to steal is about 220 ETH[41]" however no further information is provided as to how that number was determined by Cryptonomist. The blockchain records of the attacker's known wallet show significantly fewer tokens being received in total[59].

Convex Finance described in their postmortem that only 3 of the 40 exploited addresses had funds taken from them, and the specific total was 15,968 cvxCRV and 433 CRV[21]. Matching blockchain transactions can be identified for 15,968.95655 cvxCRV[46] and 433.3936 CRV[47].

"As of today, there are 40 known addresses that approved malicious contracts as a result of this incident. In total, an estimated 15,968 cvxCRV and 433 CRV are suspected of being stolen from users. Only 3 of the 40 addresses listed had funds taken."

While the attacker's wallet does contain additional transactions, it is unclear which specific attack these belong to and most amounts are less substantial[59]. The closing market price of Curve on June 23rd, 2022 was $0.8308[18], while the closing market price of Convex's cvxCRV token was $0.8285[15]. Combining with the post-mortem information, this results in an estimated total loss of $13,589.22 USD.

Immediate Reactions

On June 23, 2022, the Twitter user @alexintosh reported an abnormal approval requested by the Convex Finance website, with a similar but not exact smart contract address[39][40].

"What is this unverified contract? 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31. [The] @ConvexFinance website is asking for approval for that but the correct one is 0xF403C135812408BFbE8713b5A23a04b3D48AAE31. 4 Starting/Ending Characters are the same. DNS spoofing?"

The situation was initially reported and detailed by Twitter users @HarukoTech[43] and Bret Woods (@fewture)[44] . These users provided a complex analysis of the transactions and a guide on a work around to validate transactions on hardware devices by using smaller transaction fees[43][44].

Shortly after this, the Convex Finance team posted to announce that they had restored the domain name to the original settings and provided a list of affected users[45].

Investigation is still ongoing, but a quick update for the community:

- DNS for http://convexfinance.com was hijacked, prompting users to approve malicious contracts for some interactions on the site. - Funds on verified contracts are unaffected. - Issue is remediated at this time, but investigation is ongoing. Full post-mortem to follow.

At this time, 5 addresses seem to have approved malicious contracts (in the tweet below). If you are the owner of one of these addresses, please reach out via Twitter DM or Discord.

However, the nature of DNS is such that propagation of settings requires time and blockchain data shows that the most significant affected user thefts happened after this notice[46][47].

Ultimate Outcome

The NameCheap CEO ultimately responded on Twitter to explain that there was a hacked or compromised customer support agent and all access was removed from them[50]. He also offered completely free Domain Vault monitoring to all affected services[51].

"We've traced this down to a specific [customer support] agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating." "In the meantime we would like to offer you our Domain Vault service for free and we will also place all affected domains on the highest security monitoring."

Convex Finance posted a finalized list of affected addresses on June 24th[22][52][53].

At this time, the addresses on this list (linked below) are suspected of having approved malicious contracts. Please note this list may or may not be complete.

There was strong criticism from user @flubdubster for Convex Finance using a standard domain registration which doesn't have advanced spoofing protection[60][61][62].

Total Amount Recovered

Convex Finance reportedly attempted to cover losses.

"Convex Finance will attempt to compensate losses stemming from the DNS hijacking from June 20–23, 2022, sourced from the treasury, and paid in CVX tokens equivalent to the USD values at time of loss. Funds will go directly to the addresses affected once approvals have been revoked to the malicious contracts."

The total amount recovered has been estimated at $14,000 USD.

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

The issue ultimately stemmed from a single customer support agent being compromised. A multi-signature requirement on DNS changes would have prevented this scenario entirely.

While NameCheap offers advanced protections on their domain names, this service had just launched two days prior to the DNS change, so it was unlikely to be a reasonable expectation that Convex Finance would have already signed up.

Users of platforms need to be careful and double check any new approval requested by any platform against the proper smart contract address. It is recommended to double check any new smart contract addresses being interacted with.

References

  1. https://etherscan.io/address/0xb73261481064f717a63e6f295d917c28385af9aa (Aug 23, 2022)
  2. https://etherscan.io/address/0x72a1a639c69f8002f035a7dc231d634d74e6b86e (Aug 23, 2022)
  3. https://etherscan.io/address/0x56d3191ee65f1f76e4e902ec983c6420398d49c8 (Aug 23, 2022)
  4. https://etherscan.io/address/0xba63402bdf0e1b245333e5ef008baee69d669f2a (Aug 23, 2022)
  5. $15 Billion Rugpull Vulnerability in Convex Finance protocol Uncovered and Resolved - OpenZeppelin blog (Aug 24, 2022)
  6. Convex Finance Pre Launch Announcement (Aug 24, 2022)
  7. Address 0x496e53c32a69a79a82ed85d2913010dd2f9d1b4f | Etherscan (Feb 15, 2023)
  8. raspu.eth | Address 0x4ffc5f22770ab6046c8d66dabae3a9cd1e7a03e7 | Etherscan (Feb 15, 2023)
  9. Address 0x5b186c93a50d3cb435fe2933427d36e6dc688e4b | Etherscan (Feb 15, 2023)
  10. Address 0x624301090700ea1e3c5b5224f89adfae405412c1 | Etherscan (Feb 15, 2023)
  11. Address 0x92557b6ffa116b53cf2c3bc1d6d33f78d97ed4c9 | Etherscan (Feb 15, 2023)
  12. 12.0 12.1 @ConvexFinance - "Introducing Convex Finance! A new platform" - Twitter (Aug 24, 2022)
  13. @ConvexFinance Twitter (Aug 24, 2022)
  14. 14.0 14.1 14.2 14.3 https://www.convexfinance.com/ (Aug 23, 2022)
  15. 15.0 15.1 https://coinmarketcap.com/currencies/convex-crv/historical-data/ (Aug 24, 2022)
  16. 16.0 16.1 Convex for Curve.fi - ConvexFinance (Aug 23, 2022)
  17. @JustinCBram Twitter (Aug 24, 2022)
  18. 18.0 18.1 https://coinmarketcap.com/currencies/curve-dao-token/historical-data/ (Aug 24, 2022)
  19. platform/Convex Platform Security Audit Report.pdf at main · convex-eth/platform · GitHub (Aug 23, 2022)
  20. https://www.cloudflare.com/learning/dns/what-is-dns/ (Feb 9, 2023)
  21. 21.0 21.1 21.2 Post Mortem Of Events June 23 (Aug 24, 2022)
  22. 22.0 22.1 22.2 @ConvexFinance - "domain is back to normal operation. DNS is secured and actively monitored" - Twitter (Aug 24, 2022)
  23. @DevanCollins3 Twitter (Aug 24, 2022)
  24. @LefterisJP Twitter (Feb 10, 2023)
  25. 25.0 25.1 Domain Vault Page on June 19th, 2022 - Namecheap (Feb 12, 2023)
  26. 26.0 26.1 Domain Vault Page on June 20th, 2022 - Namecheap (Feb 12, 2023)
  27. 27.0 27.1 @NamecheapCEO "If you want complete security use [Domain Vault]" - Twitter (Aug 24, 2022)
  28. 28.0 28.1 @NamecheapCEO Twitter (Feb 11, 2023)
  29. @StefanPatatu Twitter (Aug 23, 2022)
  30. Domain Vault Page on Mar 22nd, 2022 - Namecheap (Feb 9, 2023)
  31. First Smart Contract Creation - EtherScan (Feb 23, 2023)
  32. Ethereum Transaction Hash (Txhash) Details | Etherscan (Feb 15, 2023)
  33. Convex Finance Booster Contract - Etherscan (Feb 24, 2023)
  34. @Alexintosh - "I don't what's happening but be 100% certain you approve exactly" - Twitter (Feb 24, 2023)
  35. Final Malicious Contract Creation - EtherScan (Feb 23, 2023)
  36. Malicious "CvxLockerV2" Contract Created - Etherscan (Feb 23, 2023)
  37. martinkrung Reports Fake "CvxLockerV2" Contract - Twitter (Feb 23, 2023)
  38. Actual "CvxLockerV2" Smart Contract - Etherscan (Feb 23, 2023)
  39. 39.0 39.1 @Alexintosh Twitter (Aug 23, 2022)
  40. 40.0 40.1 Contract Addresses - ConvexFinance (Aug 24, 2022)
  41. 41.0 41.1 41.2 https://en.cryptonomist.ch/2022/06/24/convex-more-info-on-the-hack/ (Jul 2, 2022)
  42. @ConvexFinance - "Please review approvals while we evaluate a potential front end issue." - Twitter (Aug 23, 2022)
  43. 43.0 43.1 43.2 @HarukoTech Twitter (Aug 24, 2022)
  44. 44.0 44.1 44.2 Bret Woods (@fewture) Guide - Twitter (Feb 22, 2023)
  45. 45.0 45.1 @ConvexFinance Twitter (Aug 24, 2022)
  46. 46.0 46.1 46.2 Theft of 15,968.95655 cvxCRV - Etherscan (Feb 23, 2023)
  47. 47.0 47.1 47.2 Theft Of 433.3936 CRV - Etherscan (Feb 22, 2023)
  48. @ConvexFinance Twitter (Aug 24, 2022)
  49. @ConvexFinance Twitter (Aug 23, 2022)
  50. 50.0 50.1 @NamecheapCEO - "traced this down to a specific [customer support] agent that was either hacked or compromised" - Twitter (Aug 24, 2022)
  51. 51.0 51.1 @NamecheapCEO - "we would like to offer you our Domain Vault service for free and we will also place all affected domains on the highest security monitoring" - Twitter (Feb 24, 2023)
  52. 52.0 52.1 Known Approvals From Convex Finance - Pastebin.com (Aug 24, 2022)
  53. 53.0 53.1 @ConvexFinance - "the addresses on this list (linked below) are suspected of having approved malicious contracts" - Twitter (Aug 24, 2022)
  54. Domain Vault Page on June 24th, 2022 - Namecheap (Feb 13, 2023)
  55. Domain Vault Page on June 25th, 2022 - Namecheap (Feb 13, 2023)
  56. @ConvexFinance Twitter (Feb 18, 2023)
  57. Domain Vault Page on July 1st, 2022 - Namecheap (Feb 13, 2023)
  58. Domain Vault Page on July 2nd, 2022 - Namecheap (Feb 13, 2023)
  59. 59.0 59.1 Token's Received and Sent By The Attacker's Wallet - Etherscan (Feb 23, 2023)
  60. @flubdubster Twitter (Aug 24, 2022)
  61. @flubdubster Twitter (Aug 24, 2022)
  62. @flubdubster Twitter (Aug 24, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Convex_Finance_Malicious_DNS_Hijack&oldid=2694"