Compound Finance Official Website DNS Hijacking

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Compound Finance Logo

Compound Finance is one of the most popular decentralized finance protocols for loans. They used SquareSpace as their domain registrar. Early in the morning of July 11th, their domain was hijacked, and pointed users to a malicious wallet draining application. They are among a few domains hosted on SquareSpace which were hijacked. It is unclear how many users were drained from this attack.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]

About Compound Finance

"Compound Finance is one of the most widely used protocols in the DeFi ecosystem. Deployed on Ethereum, its purpose is to issue automatic, permissionless loans of Ether and various ERC20 tokens. As of February 2022, the protocol held more than $10 billion in assets across 18 markets."

"To invest in Compound, users deposit Ether or supported ERC20 tokens into one of the protocol’s markets. In exchange, they receive cTokens for that market, with which they can redeem their investment. Compound’s cTokens are differentiated and denominated according to the underlying asset. For example, investors who deposit Ether (ETH) receive cETH tokens, which are redeemable for ETH. Similarly, investors who deposit USDC receive cUSDC tokens, which are redeemable for USDC, and so on. In addition to being redeemable for the underlying asset, cTokens can be traded according to their market value."

"The total value of each market increases as funds are lent out and repaid. As the value held in a market grows, the cTokens for that market increase in value and can be redeemed for more of the underlying asset. In this way, investors accrue interest. When the protocol operates as intended, the value of a cToken relative to its underlying asset should only increase, i.e., only positive interest rates should be possible."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Compound Finance Official Website DNS Hijacking
Date Event Description
July 11th, 2024 12:49:00 AM MDT ZachXBT Reporting ZachXBT tweets to announce that the Compound Finance website appears to be redirecting to another malicious phishing site.
July 11th, 2024 12:50:00 AM MDT Tweet Report A tweet reports that the Compound Finance website is redirecting to a phishing website compound-finance.app.
July 11th, 2024 1:37:00 AM MDT Michael Lewellen Tweet Michael Lewellen tweets to notify that the Compound Finance website appears to be hijacked and is currently hosting a phishing site.
July 11th, 2024 3:15:00 AM MDT Compound Labs Tweet Compound Labs reports that their domain is hijacked and they will be providing an update.
July 11th, 2024 5:35:00 AM MDT CoinDesk Article CoinDesk publishes an article on both domain hijackings.
July 11th, 2024 9:32:00 AM MDT BlockAid Tweet/Analysis BlockAid tweets to notify about the developing situation. They report that both Compound Finance and Celer Network are found to be hijacked. The sites are traced to use the Inferno Drainer malware.
July 11th, 2024 11:00:00 AM MDT SquareSpace Security Breaches Reportedly, multiple websites are targeted.
July 13th, 2024 5:28:00 AM MDT BlokTalk Tweet BlokTalk reports on the potential breach of the Pendle Finance website.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Compound DAO security advisor Michael Lewellen tweeted that the Compound Finance official website (http://compound.finance) has been compromised and is currently hosting a phishing site. Do not interact with the site until further notice."

"ALERT: The http://compound.finance URL has been compromised and is currently hosting a phishing site. DO NOT interact with the http://compound.finance website until further notice.

The Compound protocol itself is not impacted and all smart contract funds are safe."

"URGENT: The Compound Labs website (compound[.]finance) has been compromised.

Please do not visit the website or clink any links until further notice. An update will be provided when available."

"BREAKING: Multiple cryptocurrency platforms tied to Squarespace, including Compound Finance and Celer Network, reported security breaches affecting their websites.

The breach appears to be a DNS attack, adding to the long list of crypto hacks so far in 2024."

"Security advisor to the Compound DAO, Michael Lewellen, posted a community alert via X (formerly Twitter), urging users to avoid the platform’s website. Compound Finance confirmed the attack 90 minutes later. The breach was highlighted earlier by ZachXBT via Telegram."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Jul 11, 2024)
  2. @LewellenMichael Twitter (Accessed Jul 15, 2024)
  3. @compoundfinance Twitter (Accessed Jul 15, 2024)
  4. @Mayhall_ Twitter (Accessed Jul 15, 2024)
  5. @blockaid_ Twitter (Accessed Jul 15, 2024)
  6. @ThePulseWallet Twitter (Accessed Jul 15, 2024)
  7. @0xngmi Twitter (Accessed Jul 15, 2024)
  8. @DanKazenoff Twitter (Accessed Jul 15, 2024)
  9. @_mwc Twitter (Accessed Jul 15, 2024)
  10. Compound Finance and Celer Network websites compromised in ‘front-end’ attacks (Accessed Jul 15, 2024)
  11. @PelehSergii Twitter (Accessed Jul 15, 2024)
  12. @MLion_AI Twitter (Accessed Jul 15, 2024)
  13. @TheBlokTalk Twitter (Accessed Jul 15, 2024)
  14. @ankitav Twitter (Accessed Jul 15, 2024)
  15. Compound Finance Live Critical Vulnerability - Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository (Accessed Jul 15, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Compound_Finance_Official_Website_DNS_Hijacking&oldid=6116"