Ambient Finance Frontend DNS Hijacking
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Ambient Finance is a decentralized exchange which offers a variety of order types on the same exchange platform. On October 17th, users of their site were prompted to approve a new smart contract, and found that their wallets were drained as a result. This is because the DNS for their main domain name was hijacked, and set to point to a malicious copy of the website. Users who interacted with the malicious website were providing their funds to the hacker. The Ambient Finance team has subsequently recovered the domain and reimbursed all affected users for their losses in full.
[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]
About Ambient Finance
"Zero-to-One Decentralized Trading Protocol Faster, Easier, and Cheaper Ambient runs the entire DEX inside a single smart contract, allowing for low-fee transactions, greater liquidity rewards, and a fairer trading experience."
"Ambient (formerly CrocSwap) is a decentralized exchange (DEX) protocol that allows for two-sided AMMs combining concentrated and ambient constant-product liquidity on any arbitrary pair of blockchain assets.
Ambient runs the entire DEX inside a single smart contract, where individual AMM pools are lightweight data structures instead of separate smart contracts. This and other design decisions makes Ambient the most efficient Ethereum-based DEX in existence."
"Ambient is built for diversified, sustainable liquidity that fixes the broken LP economics of AMMs. It is also the only DEX to support concentrated (‘V3’), ambient (‘V2’) and knock-out liquidity in the same liquidity pool."
"Make your LP position a trading position – and vice versa – using our range and limit orders. Ambient combines liquidity in a single pool, allowing for greater rewards for liquidity providers, and less impact for traders."
"Built for traders and market makers of all kinds, Ambient introduces novel DeFi-native features and an array of quality-of-life improvements allowing for a best-in-class user experience."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| October 17th, 2024 5:07:00 AM MDT | Users Note Front-End Hacked | A comment tweet in Simplified Chinese asks "Was it hacked? The official team should make a statement." This is the first mention of the hack. |
| October 17th, 2024 6:47:00 AM MDT | First Notice On X | The first notice posted by Ambient Finacne of the hijacked domain. |
| October 18th, 2024 5:50:00 PM MDT | Second Notice On X | The Ambient Finance team again tweets to notify that their front-end has been attacked and users should avoid using their main domaion name. |
| October 18th, 2024 7:31:00 PM MDT | Clarification Tweet | Ambient Finance posts to notify that the smart contracts are safe, and only the front-end is compromised and again warns users not to interact with their front-end. |
| October 18th, 2024 7:52:00 PM MDT | PANewsLab Article | PANewsLab publishes an article about the front-end hack online. |
| October 19th, 2024 12:17:00 PM MDT | Croc Finance Domain | Ambient Finance reports that they've set up the site on croc.finance while awaiting an investigation from the registrar. The ambient.finance domain is offline, preventing further scamming of users via the compromised front-end. |
| October 19th, 2024 11:02:00 PM MDT | User Reporting Loss | One user reports a loss of $500 due to the vulnerability. |
| October 20th, 2024 10:16:00 AM MDT | Domain Back Online | The Ambient Finance domain is back online and users can safely use it or the Croc Finance domain as an alternative. |
| October 26th, 2024 6:45:00 AM MDT | Reimbursement Reported | Ambient Finance reports reimbursing victims is now complete. All payments were made in ETH since you can't safely send other tokens to the wallets. They advise users to consider their wallets compromised and move to use a different wallet. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Scroll-based DEX protocol Ambient Finance announced on X platform that their domain has been hijacked. Until further notice, please do not interact with the Ambient Finance frontend."
The Scroll blockchain DEX protocol Ambient Finance announced on the X platform that its domain name has been hijacked. The team is currently working with the "seal" team and the domain registrar to resolve the issue as quickly as possible. The smart contract is fully secure, and funds are safe. However, until further notice, users are advised not to interact with the Ambient Finance frontend.
Previously, it was reported that the Ambient Finance DEX protocol on the Scroll blockchain (@ambient_finance) might have experienced a frontend attack. Users were warned to avoid interacting with the decentralized application (dApp) and to suspend transaction signing until the issue is resolved.
"The Ambient Finance domain has been hijacked. We are working with seal team and domain registrar to quickly resolve.
Do not use ambient dot finance until further finance."
"Contracts are fully secure and funds are safe. But do not interact with the Ambient Finance frontend until further notice."
"The Ambient Finance domain has been secured from hijacker control. Site is currently offline pending final investigation by registrar. We expect resolution shortly
A secure frontend has been deployed at http://croc.finance. Refrain from ambient[.]finance until all clear"
"Contracts and funds remain safe and secure.
We are urgently working on resolving claims from affected users during the frontend attack. Thank you for your patience"
"http://ambient.finance frontend is up and all clear and safe to interact with again
Domain has been fully transferred to a hardened registrar and DNS reviewed and secured
http://croc.finance will continue to serve an alt frontend indefinitely."
"Contracts and funds continue to be safe and secure.
Reimbursement claims for affected users should be expected soon. Extensive post mortem will follow.
Thanks for your patience through this."
Ultimate Outcome
"Ambient Finance has fully reimbursed all victims of the recent domain hijack phishing attack.
All payouts were made in ETH, because there’s no safe way to send tokens to these addresses.
We highly recommend that users consider these wallets burned and move the ETH to a fresh wallet before doing anything else"
Total Amount Recovered
The total amount recovered is unknown.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Scroll链上DEX Ambient域名遭劫持,用户请勿与前端交互 - PANews (Accessed Nov 12, 2024)
- ↑ Ambient | Zero-to-One Decentralized Trading Protocol (Accessed Nov 12, 2024)
- ↑ Introduction to Ambient | Ambient Docs (Accessed Nov 12, 2024)
- ↑ @npnpnp101 Twitter (Accessed Nov 12, 2024)
- ↑ @ambient_finance Twitter (Accessed Nov 12, 2024)
- ↑ @ambient_finance Twitter (Accessed Nov 12, 2024)
- ↑ @ambient_finance Twitter (Accessed Nov 12, 2024)
- ↑ @ambient_finance Twitter (Accessed Nov 12, 2024)
- ↑ @ambient_finance Twitter (Accessed Nov 12, 2024)
- ↑ @Stanbul99410890 Twitter (Accessed Nov 12, 2024)
- ↑ @mourezjerry221 Twitter (Accessed Nov 12, 2024)
- ↑ @HaveANiceTrade Twitter (Accessed Nov 12, 2024)
- ↑ @4centvin Twitter (Accessed Nov 12, 2024)
- ↑ @PreshyDefi Twitter (Accessed Nov 12, 2024)
- ↑ @zkskrol Twitter (Accessed Nov 12, 2024)
- ↑ Blockaid :Scroll链上DEX Ambient疑似遭遇前端攻击 - PANews (Accessed Nov 12, 2024)