Convex Finance Malicious DNS Hijack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search
Convex Finance Homepage

Convex Finance is a tool to increase rewards for stakers and liquidity providers on the Curve Finance protocol. The service used NameCheap to host their primary domain, which was the main way customers would interact with the service. On June 23rd, a NameCheap support agent had their account breached, and a request was made to change the DNS settings on a few domains including the Convex Finance domain name. This redirected the website to a phishing version, which looked identical to main version but requested approval on a new smart contract with a similar address. The new smart contract allowed the attacker to steal approved funds and was active on the site for a few hours, plus DNS propagation time. While at least 40 wallet addresses gave approvals, it appears that only a limited number of tokens were ultimately taken from those wallets. The Convex Finance team agreed to reimburse affected users from their treasury.

About Convex Finance

Convex Finance is a platform designed to enhance rewards for CRV stakers and liquidity providers on Curve Finance[1]. It simplifies staking on Curve and the CRV-locking system through its native fee-earning token, CVX[2]. The platform enables Curve.fi liquidity providers to earn trading fees and claim boosted CRV without locking CRV themselves[1][3]. Users can deposit Curve LP tokens to earn Curve trading fees, boosted CRV, and CVX tokens, with the boost being pooled from CRV stakers[1][4]. Convex Finance aims to make the staking process accessible to a wider audience, providing an easy-to-use interface for both experienced and novice users[1][5]. Notably, Convex Finance holds the majority of Curve Finance's CRV tokens in circulation, contributing significantly to the decentralized economy's liquidity[3].

Convex Finance launched on April 15th, 2021[6][7], and quickly gained traction with over 17m CRV tokens staked within the first 2 weeks[8]. The Convex Finance protocol was audited by MixBytes[9].

Convex Finance Homepage:[1]

The Reality

While smart contracts operate in a decentralized "trustless" manner, most users will tend to interact with them using transactions generated by a centralized "trusted" website. When a domain name is accessed on the internet, a service called DNS (Domain Name System) is used to route the user to the appropriate server[10].

The Convex Finance project used NameCheap as their domain registrar for their primary domain convexfinance.com[11]. The procedures at NameCheap for most domains were such that individual support team members were able to override the DNS of the website[12][13][14].

"Convex used NameCheap as it’s domain registrar for convexfinance.com."

NameCheap also offers a "Domain Vault" service for an additional monthly fee, which appears to have been fully launched on June 20th, 2022, coincident with the time of the attack[15][16][17].

"Usually we require a [PIN] code from customer. We also monitor all actions as well a[s] monitor a real time [VIP] list. In the end our [customer support] needs to be able to modify to help customers[,] especially when 99% don't understand [DNS]. If you want complete security use [Domain Vault]"

While Convex Finance reportedly used 2FA[18], Convex Finance was not enrolled in the DomainVault service[12][17][19], which had only recently launched[15][16].

What Happened

After breaching the credentials of a NameCheap customer support agent[20][21], an attacker modified the DNS settings for multiple high profile decentralized protocols with domain names registered there, including Convex Finance, Ribbon Finance, Defi Saver, and AllBridge[22] to point to a phishing server with a similar front-end. This front-end requested approval for a smart contract with the same first and last 4 characters as the official smart contract address of Convex Finance[23], and could drain funds from the wallets of any approving users.

Key Event Timeline - Convex Finance Malicious DNS Hijack
Date Event Description
April 15th, 2021 6:04:00 AM Convex Finance Launch Convex Finance announces their launch on Twitter[7].
June 1st, 2021 7:10:00 PM MDT Justin Bram Tweet Justin Bram shares a tweet to show users "how to automatically boost [their] @CurveFinance staking yields with @ConvexFinance", which further drives adoption of the protocol[4].
March 22nd, 2022 Domain Vault Announced The first archived appearance of the "Domain Vault" service on NameCheap which costs $19.88/mo and is still "coming soon"[24].
June 20th, 2022 2:02:01 AM MST Funds Moved Into First Address The attacker moves funds into their first ethereum address[25][26].
June 20th, 2022 3:05:42 AM First Malicious Contract Creation The very first smart contract is created by a wallet controlled from the attacker[27]. Malicious contract 0x65a8...3b2f[28] was created by wallet 0x5622...781a[27][29].
June 20th, 2022 7:11:15 AM MDT Transfer CRV To Contract 160.996854988110785532 CRV is transferred to phishing Ethereum address 0xcdc0f019f0ec0a903ca689e2bced3996efc53939[30].
June 20th, 2022 7:26:48 AM Malicious Contract Creation The malicious smart contract 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31 is created[31][32], which is very similar to the "Convex Finance: Booster" smart contract normally at address 0xF403C135812408BFbE8713b5A23a04b3D48AAE31[33][34].
June 20th, 2022 Domain Vault Launches The NameCheap "Domain Vault" service now switches from "Get early access" to "Get Domain Vault" with the price remaining at $19.88/mo[15][16].
June 23rd, 2022 6:17:41 AM Final Malicious Contract The final malicious smart contract is created by the attacker[35].
June 23rd, 2022 7:43:37 AM Funds Moved To Third Address The attacker moves their ethereum to a third address (presumably in response to flagging of previous addresses) and begins further attacks[36][37].
June 23rd, 2022 12:39:13 PM Fake CvxLockerV2 Smart Contract A malicious smart contract 0x72a1A639C69F8002F035a7DC231d634D74e6b86E is created[38][39]. This is very close to the smart contract address of the Convex Locker 2 at 0x72a19342e8F1838460eBFCCEf09F6585e32db86E[40][41].
June 23rd, 2022 1:02:00 PM Alexintosh Tweet The Twitter user @alexintosh reported an abnormal approval requested by the Convex Finance website, with a similar but not exact smart contract address[42][43][44].
June 23rd, 2022 2:23:00 PM Please Review Approvals Convex Finance posts their very first announcement on Twitter, requesting users to "[p]lease review approvals while we evaluate a potential front end issue[45]."
June 23rd, 2022 3:46:00 PM Additional Malicious Contracts Twitter user @HarukoTech describes several malicious contracts which were created against different protocols and that "[t]he attacker seems to be generating similar addresses to well know[n] protocols"[46].
June 23rd, 2022 3:54:00 PM Bret Woods Suggestion Twitter user Bret Woods (@fewture) posts that "[w]e're seeing hackers create addresses that match the first 4 and last 4 characters". His suggestion is to run the same transaction with "the gas SUPER LOW. Like 5 gwei. Your transaction won't go through, but it will populate on @etherscan where it is much easier to click through and make sure it's doing what you intended to do"[47].
June 23rd, 2022 4:20:00 PM MDT Stefan Patatu Vanity Attack Tutorial Stefan Patatu links to a tutorial he wrote (originally on May 6th) to provide the community with more information on the way vanity addresses were employed in the attack[48].
June 23rd, 2022 4:46:00 PM Convex Preliminary Convex Finance first posts on Twitter to announce the DNS hijacking. They list 5 addresses[49][50][51][52][53] which are affected, that investigation is still ongoing, and that the issue is "remediated"[54][44].
June 23rd, 2022 5:03:47 PM cvxCRV Token Theft A blockchain transaction transfers 15,968.95655 cvxCRV tokens to the DNS phishing attacker's wallet[55].
June 23rd, 2022 5:44:25 PM CRV Token Theft A blockchain transaction transfers 433.39359656 CRV tokens to the DNS phishing attacker's wallet[56].
June 23rd, 2022 6:08:00 PM Alternative Domains Convex Finance posts on Twitter recommending users to use some alternative domain names to access the smart contract[57].
June 23rd, 2022 8:40:06 PM MDT CoinCu Publishes Article CoinCu reports that Convex Finance, a leading yield solution in the DeFi market, experienced a DNS attack, where hackers stole the domain address convexfinance.com. They inserted source code into the website to deceive users and make them interact with dangerous contracts. As a precautionary measure, Convex Finance advised users to revoke and deauthorize recently interacted contracts to mitigate potential risks. Convex Finance reported that five wallet addresses had interacted with the malicious contract, and users were instructed to contact the project to proceed with the necessary processing steps. The incident has been temporarily handled, but a post-mortem report is expected to be published soon[58]. This is retweeted[59]. TBD use this as a source for other information.
June 24th, 2022 6:00:00 AM Telegram Group Operating A Telegram group has reportedly been set up for communication and coordination between the different affected protocols[60].
June 24th, 2022 6:14:00 AM MDT All Attacks Reported Together All 4 "DNS exploit[s]" with "illicit vanity contracts" are reported by Twitter user CryptoCondom. He also mentioned that all protocols were using 2FA[61].
June 24th, 2022 7:00:00 AM MDT Attacks Reported With Screenshots Twitter user Nalin Gupta is the first to publicly provide screenshots of all 4 DNS attacks in a single thread[62].
June 24th, 2022 7:24:00 AM MDT Speculation About Further Domains Further speculation arises that some other domains may be related[63]. The list referenced are cryptocurrency phishing websites and it does not appear that any of those domains are related to the DNS attack[64].
June 24th, 2022 7:29:00 AM Attacks Reported Together Again Twitter user Tommy Famous also reports on all 4 DNS attacks in a single thread[65].
June 24th, 2022 7:45:00 AM Recommending Revoking "As a precaution, it is recommended that all users who've interacted with the Convex website in the past week review their approvals as we continue to investigate. Use a tool like http://revoke.cash to remove any malicious or suspicious contracts[66]."
June 24th, 2022 10:01:00 AM NameCheap Response NameCheap's CEO responds on Twitter that they've "traced this down to a specific [customer support] agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating."[20]
June 24th, 2022 10:03:00 AM Free DomainVault Monitoring NameCheap's CEO expands the original tweet to say that they "would like to offer [affected services their] Domain Vault service for free and [they] will also place all affected domains on the highest security monitoring"[19].
June 24th, 2022 10:32:00 AM MDT Nothing To Worry About NameCheap assures via Twitter that "[t]here is nothing to worry about" and they will "keep investigating"[67].
June 24th, 2022 11:21:00 AM NameCheap DomainVault "Usually we require a pin code from customer. We also monitor all actions as well a monitor a real time vip list. In the end our [customer support] needs to be able to modify to help customers especially when 99% don't understand [DNS]. If you want complete security use [DomainVault]"[17]
June 24th, 2022 2:12:53 PM Affected List Uploaded The pastebin for the complete list of affected addresses is uploaded by Convex Finance[68].
June 24th, 2022 2:46:00 PM Restored Report Convex Finance posts on Twitter to report that the original domain is back. Original "domain is back to normal operation. DNS is secured and actively monitored." They also share a list of affected addresses.[12][69].
June 24th, 2022 4:16:00 PM NameCheap Clarifies Hack NameCheap responds that it "[l]ooks more like [their customer support] person was hacked."[21]
June 25th, 2022 Domain Vault Discount NameCheap lowers the price of their Domain Vault service from $19.88/mo[70] to $1.88/mo[71].
July 1st, 2022 10:14:00 AM Postmortem Released Convex Finance releases a post-mortem report with further details of what happened, how much was lost, and their compensation plans[72][11].
July 2nd, 2022 Price Segmentation NameCheap decides to offer two different Domain Vault services from "Silver" tier at $1.88/mo[73] to "Titanium" tier at $19.88/mo[74].

Technical Details

The account of a customer support agent for NameCheap[20] was believed to be hacked[21].

This allowed the attacker to modify the DNS settings for multiple high profile decentralized protocols with domain names registered there, including Convex Finance, Ribbon Finance, Defi Saver, and AllBridge[22]. Because they were making the changes as an official support team member, the attacker was able to override any 2-factor authentication, passwords, and security alert settings in the account[61][75][76].

The domain names were modified to point to a server which displayed a similar website to Convex Finance, and requested the user to provide approval to vanity smart contracts which had the same first and last 4 characters as the official smart contract address of Convex Finance[23].

Instead of function as the standard Convex Finance smart contract would, this new smart contract would enable the attacker to drain all of the user's funds from their wallet.

"The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts."

Smart Contracts Used:[77]

Use of Vanity Ethereum Addresses

The attack increased it's effectiveness by using vanity addresses[48] which were generated to have the same leading 4 characters and ending 4 characters[61]. Many users use wallets and other devices which only display the first and last 4 characters of an address, so they may likely have had no reasonable way of noticing that the wallet addresses did not match. Other users will routinely only check the address they interact with very briefly.

Stefan Patatu explains in a thread[78], quoting an original tweet from DegenSpartan[79].

What are vanity addresses?

How can haxxors use them to steal your coins?

How can dapps use them to protec you?

What can wallets do to protec you?

What can you do to protec yourself?

A thread on some obscure knowledge, on things you don’t know you don’t know.

Might save [you].

I wanted to write about this for a long time, but it was this recent thread by @DegenSpartan that eventually provided me with the necessary motivation.

"a fear that i still have is just simply going through the motions and trusting that the front end is sending the correct, rather than a tampered or malicious, data payload for me to sign off on and broadcast to the chain

i try not to do large txs when i am tired or sleepy"

What G is talking about above is something that 99% of you don’t do (but you definitely should): checking that what the dapp and|or what the browser wallet are displaying is *exactly* the same thing as what you are signing on your HW.

Big emphasis on “exactly”.

For example, you might want to send 100 $DAI to your wife’s boyfriend: you copy-paste his address, you enter “100 $DAI”, you double-check and triple-check everything to make sure you are sending the right amount to the right address, and press “Sign TX”.

The “Review transaction” screen pops up on your @Ledger, so you just go through the motions: RIGHT, RIGHT, RIGHT, RIGHT, RIGHT, LEFT+RIGHT.

But you do not stop to check whether the address displayed by your @Ledger is *exactly* the same as the one you have on file, whether the amount is “100” (and not “1000”, for example), whether you are interacting with the $DAI SC (and you are not sending him 100 $LINK instead).

You just faithfully sign the TX, trusting that you have already triple-checked everything on your PC.

But as G says, that is a recipe for disaster.

The only thing you should trust is your HW. Everything displayed by the dapp you are interacting with or by the browser wallet you are using can be tampered.

A vanity address is an address that has parts of it chosen rather than randomly generated. Adding vanity to an address is used to make it stand out amongst the other (random) addresses, give it personality, reinforce a brand, make the owner(s) feel cool, send a message, etc.

A popular vanity address is 0x000000000000000000000000000000000000dead. Notice the “dead” at the end. It is sometimes used in place of the standard null address, 0x0000000000000000000000000000000000000000

Another popular vanity address most of you have interacted with is the @1inch router, 0x1111111254fb6c44bAC0beD2854e76F90643097d. Notice the 7 “1”s at the beginning.

A new yet popular vanity address that just appeared on the chain is the @ConcaveFi $CNV token address, 0x000000007a58f5f58E697e51Ab0357BC9e260A04. Notice the 8 “0”s at the beginning.

In any case, you get the idea: a vanity address is an address that has parts of it chosen rather than randomly generated.

Do not confuse vanity addresses with .eth (@ensdomains) addresses. Vanity addresses are no different than any other addresses. They just look different to us because hoomans don’t like randomness.

As a #PrudentSpartan, I am sure you check the address you are interacting with on your HW before signing the TX (unlike 99% of CT). But do you check the whole address, or just the first and last few (3-4) characters?

Because you might just be wasting your time in exchange for a false sense of security.

Notice how @MetaMask only shows the first and last few characters of the address, not the entire address. If you check only that with your HW, you are wasting your time for a false sense of security.

You press “Confirm” on the @MetaMask window displayed above. You then see this on your @Ledger. Everything checks out. You sign the TX. I just stole your money!

How?! Besides the main use of vanity to make addresses stand out, there is another, less known (and evil), use case: making addresses blend in.

If you check the chain, you will see that the address you should have interacted with is 0x4678f0a6958e4D2Bc4F1BAF7Bc52E8F3564f3fE4. Instead, the address displayed by your @Ledger was 0x4679E467A5fAe7687bFff70996A9649Be2C13fE4.

Notice how both addresses start and end with the same characters as the ones displayed by your @MetaMask, but they are completely different otherwise. If you only verified what your @MetaMask showed you, you would have lost your money.

Instead of using vanity to create an address that stands out, I used vanity to create an address that blends in. In fact, it only took my laptop 5 seconds (!) to find another address that begins and ends with the same characters that are displayed by @MetaMask for you to check.

My “fake” address is a completely valid address. You can even see its PK in the above SS. If you don’t believe me, try and import it into your wallet. You will see, it works. I used a vanity address generator to create an address that blends in, rather than one that stands out.

And because @MetaMask only shows the first and last few characters, and so you only checked the first and last few characters, I was able to make you interact with another address that just so happens to begin and end the same way you expected it to.

Blockchain Analytics

Various notable addresses and transactions from Etherscan for further research/analysis:

[80][81][82][77][31][83]

Malicious Contracts:

  • The first malicious contract 0x65a8...3b2f[28] was created by wallet 0x5622...781a[29][27].
  • The final

Total Amount Lost

Cryptonomist reports that as of June 24th, 2023, "the tally of what the hacker managed to steal is about 220 ETH[44]" however no further information is provided as to how that number was determined by Cryptonomist. The blockchain records of the attacker's known wallet show significantly fewer tokens being received in total[84].

Convex Finance described in their postmortem that only 3 of the 40 exploited addresses had funds taken from them, and the specific total was 15,968 cvxCRV and 433 CRV[11]. Matching blockchain transactions can be identified for 15,968.95655 cvxCRV[55] and 433.3936 CRV[56].

"As of today, there are 40 known addresses that approved malicious contracts as a result of this incident. In total, an estimated 15,968 cvxCRV and 433 CRV are suspected of being stolen from users. Only 3 of the 40 addresses listed had funds taken."

While the attacker's wallet does contain additional transactions, it is unclear which specific attack these belong to and most amounts are less substantial[84]. The closing market price of Curve on June 23rd, 2022 was $0.8308[5], while the closing market price of Convex's cvxCRV token was $0.8285[2]. Combining with the post-mortem information, this results in an estimated total loss of $13,589.22 USD.

Immediate Reactions

On June 23, 2022, the Twitter user @alexintosh reported an abnormal approval requested by the Convex Finance website, with a similar but not exact smart contract address[42][43].

"What is this unverified contract? 0xF403a2c10B0B9feF8f0d4F931df5d86aD187AE31. [The] @ConvexFinance website is asking for approval for that but the correct one is 0xF403C135812408BFbE8713b5A23a04b3D48AAE31. 4 Starting/Ending Characters are the same. DNS spoofing?"

The situation was initially reported and detailed by Twitter users @HarukoTech[46] and Bret Woods (@fewture)[47]. These users provided a complex analysis of the transactions and a guide on a work around to validate transactions on hardware devices by using smaller transaction fees[46][47].

It was quickly realized that multiple protocols were affected by the exploit. A Telegram group was set up for communication between the different affected protocols[85].

Shortly after this, the Convex Finance team posted to announce that they had restored the domain name to the original settings and provided a list of affected users[54].

Investigation is still ongoing, but a quick update for the community:

- DNS for http://convexfinance.com was hijacked, prompting users to approve malicious contracts for some interactions on the site.

- Funds on verified contracts are unaffected.

- Issue is remediated at this time, but investigation is ongoing. Full post-mortem to follow.

At this time, 5 addresses seem to have approved malicious contracts (in the tweet below). If you are the owner of one of these addresses, please reach out via Twitter DM or Discord.

However, the nature of DNS is such that propagation of settings requires time and blockchain data shows that the most significant affected user thefts happened after this notice, which described the situation as "remediated"[55][56].

Ultimate Outcome

The NameCheap CEO ultimately responded on Twitter to explain that there was a hacked or compromised customer support agent and all access was removed from them[20]. He also offered completely free Domain Vault monitoring to all affected services[19].

"We've traced this down to a specific [customer support] agent that was either hacked or compromised somehow and have removed all access from this agent. This affected a few targeted domains but we will continue investigating." "In the meantime we would like to offer you our Domain Vault service for free and we will also place all affected domains on the highest security monitoring."

Convex Finance posted a finalized list of affected addresses on June 24th[12][68][69].

At this time, the addresses on this list (linked below) are suspected of having approved malicious contracts. Please note this list may or may not be complete.

There was strong criticism from user @flubdubster for Convex Finance using a standard domain registration which doesn't have advanced spoofing protection[86][87][88].

Total Amount Recovered

Convex Finance reported in their post-mortem that they would be covering all losses in full[11].

"Convex Finance will attempt to compensate losses stemming from the DNS hijacking from June 20–23, 2022, sourced from the treasury, and paid in CVX tokens equivalent to the USD values at time of loss. Funds will go directly to the addresses affected once approvals have been revoked to the malicious contracts."

It is assumed that Convex Finance followed their on their promises and all affected users were compensated fully.

Ongoing Developments

Lost funds were covered for users by the Convex Finance protocol form their treasury[11]. It remains to be seen whether any of the proceeds will be successfully located and recovered from the hackers.

Individual Prevention Policies

There are two policies which apply in this case. See the Prevention Policies for Individuals page for the full list.

Full Prevention

Every approval on Web3 is an opportunity to lose all of the funds present in your wallet. Take the time to review the transaction in full. Fully check over the balance, permissions, and entire address which you are interacting with. Do not trust that your clipboard or any website front-end is guaranteed to provide an accurate address or transaction status. Always perform a test transaction prior to the first high-value transaction in any session.

Limiting Losses

Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...

Platform Prevention Policies

There are three different policies applying here. See the Prevention Policies for Platforms page for all policies.

Prevention by Namecheap

The issue ultimately stemmed from a single customer support agent being compromised. A multi-signature requirement on DNS changes would have prevented this scenario entirely. While NameCheap offers advanced protections on their domain names, this service had just launched two days prior to the DNS change, so it was unlikely to be a reasonable expectation that Convex Finance would have already signed up.

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Prevention by Convex Finance

All points along the communication and supply chain should be inspected for vulnerabilities. Common vulnerability points may include DNS, Discord, and customer information. What steps are required to access and/or modify the component? Do any third party companies or organizations implement a proper multi-signature approach? What additional security options are available?

Regulatory Prevention Policies

There is one policy to prevent the situation, and one to reduce the impact. See the Prevention Policies for Regulators page for the full list of policies.

Full Prevention Through Security Assessments

All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.

Reduction Through Education

Create a standard tutorial and quiz for all new cryptocurrency participants, which is required to be completed once per participant. This tutorial and quiz should cover the basics of proper seed phrase protection, strong password generation, secure two-factor authentication, common fraud schemes, how to detect and guard against phishing attacks, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space.

This could greatly reduce the effectiveness of a similar fraud to affect those such educated.

References

  1. 1.0 1.1 1.2 1.3 1.4 Convex Finance Homepage (Aug 23, 2022)
  2. 2.0 2.1 Convex (CRV) Historic Market Prices - CoinMarketCap (Aug 24, 2022)
  3. 3.0 3.1 Convex for Curve.fi - Convex Finance Docs (Aug 23, 2022)
  4. 4.0 4.1 JustinCBram - "Learn how to automatically boost your @CurveFinance staking yields with @ConvexFinance! Check out the video below to learn more!" - Twitter (Aug 24, 2022)
  5. 5.0 5.1 Curve DAO Token Historic Market Price - CoinMarketCap (Aug 24, 2022)
  6. Convex Finance Pre Launch Announcement - Medium (Aug 24, 2022)
  7. 7.0 7.1 Convex Finance - "Introducing Convex Finance! A new platform" - Twitter (Aug 24, 2022)
  8. Convex Finance - "we've been welcomed with open arms into the defi community" - Twitter (Aug 24, 2022)
  9. Convex Platform Security Audit Report - MixBytes (Aug 23, 2022)
  10. What is DNS? | How DNS works | Cloudflare (Feb 9, 2023)
  11. 11.0 11.1 11.2 11.3 11.4 Post Mortem Of Events June 23 - Convex Finance Medium (Aug 24, 2022)
  12. 12.0 12.1 12.2 12.3 Convex Finance - "domain is back to normal operation. DNS is secured and actively monitored" - Twitter (Aug 24, 2022)
  13. @DevanCollins3 Twitter (Aug 24, 2022)
  14. @LefterisJP Twitter (Feb 10, 2023)
  15. 15.0 15.1 15.2 Domain Vault Page on June 19th, 2022 - Namecheap (Feb 12, 2023)
  16. 16.0 16.1 16.2 Domain Vault Page on June 20th, 2022 - Namecheap (Feb 12, 2023)
  17. 17.0 17.1 17.2 Richard Kirkendall - "If you want complete security use [Domain Vault]" - Twitter (Aug 24, 2022)
  18. DefiSaver - "We certainly did use 2FA, as mentioned and as did other teams." - Twitter (Mar 10, 2023)
  19. 19.0 19.1 19.2 Richard Kirkendall - "we would like to offer you our Domain Vault service for free and we will also place all affected domains on the highest security monitoring" - Twitter (Feb 24, 2023)
  20. 20.0 20.1 20.2 20.3 Richard Kirkendall - "traced this down to a specific [customer support] agent that was either hacked or compromised" - Twitter (Aug 24, 2022)
  21. 21.0 21.1 21.2 Richard Kirkendall - "[l]ooks more like [their customer support] person was hacked." - Twitter (Feb 11, 2023)
  22. 22.0 22.1 DeFi Dapps DNS Attacked - TrustNodes (Feb 25, 2024)
  23. 23.0 23.1 Stefan Patatu - "What are vanity addresses? How can haxxors use them to steal your coins? How can dapps use them to protec you? What can wallets do to protec you? What can you do to protec yourself? A thread on some obscure knowledge, on things you don’t know you don’t know." - Twitter (Aug 23, 2022)
  24. Domain Vault Page on Mar 22nd, 2022 - Namecheap (Feb 9, 2023)
  25. First Attack Address "Fake_Phishing5851" - 0x56d3191ee65f1f76e4e902ec983c6420398d49c8 | Etherscan (Aug 23, 2022)
  26. Funds Moved Into First Attack Address "Fake_Phishing5851" - Etherscan (Mar 5, 2023)
  27. 27.0 27.1 27.2 First Transaction Creating Malicious Contract 0x65a8...3b2f - Etherscan (Feb 23, 2023)
  28. 28.0 28.1 Unused Contract 0x65a8...3b2f - Etherscan (Feb 27, 2023)
  29. 29.0 29.1 Wallet Address 0x5622...7d1a Who Created 0x65a8...3b2f - Etherscan (Feb 27, 2023)
  30. Transfer of 160.996854988110785532 CRV To Attacker - Etherscan (Dec 7, 2023)
  31. 31.0 31.1 Address 0xB732...F9Aa (Convex & Ribbon Phisher) - Etherscan (Aug 23, 2022)
  32. Malicious "Convex Booster" Contract Created - Etherscan (Feb 15, 2023)
  33. Convex Finance Booster Contract - Etherscan (Feb 24, 2023)
  34. @Alexintosh - "I don't what's happening but be 100% certain you approve exactly" - Twitter (Feb 24, 2023)
  35. Final Malicious Contract Creation - EtherScan (Feb 23, 2023)
  36. Attacker's Third Address - 0xba63402bdf0e1b245333e5ef008baee69d669f2a | Etherscan (Aug 23, 2022)
  37. Attacker Moving Funds To Third Address - Etherscan (Mar 5, 2023)
  38. Malicious "CvxLockerV2" Contract Created - Etherscan (Feb 23, 2023)
  39. Malicious Smart Contract - Etherscan (Aug 23, 2022)
  40. martinkrung Reports Fake "CvxLockerV2" Contract - Twitter (Feb 23, 2023)
  41. Actual "CvxLockerV2" Smart Contract - Etherscan (Feb 23, 2023)
  42. 42.0 42.1 Alexintosh - "What is this unverified contract ?" - Twitter (Aug 23, 2022)
  43. 43.0 43.1 Contract Addresses - ConvexFinance (Aug 24, 2022)
  44. 44.0 44.1 44.2 Convex: more info on the hack - Cryptonomist (Jul 2, 2022)
  45. @ConvexFinance - "Please review approvals while we evaluate a potential front end issue." - Twitter (Aug 23, 2022)
  46. 46.0 46.1 46.2 HarukoTech - "[t]he attacker seems to be generating similar addresses to well know[n] protocols" - Twitter (Aug 24, 2022)
  47. 47.0 47.1 47.2 Bret Woods (@fewture) - "[w]e're seeing hackers create addresses that match the first 4 and last 4 characters" - Twitter (Feb 22, 2023)
  48. 48.0 48.1 Stefan Patatu - "I explained more about this type of vanity attack here." - Twitter (Oct 10, 2022)
  49. Known Approval Address 0x496e53c32a69a79a82ed85d2913010dd2f9d1b4f | Etherscan (Feb 15, 2023)
  50. raspu.eth | Known Approval Address 0x4ffc5f22770ab6046c8d66dabae3a9cd1e7a03e7 | Etherscan (Feb 15, 2023)
  51. Known Approval Address 0x5b186c93a50d3cb435fe2933427d36e6dc688e4b | Etherscan (Feb 15, 2023)
  52. Known Approval Address 0x624301090700ea1e3c5b5224f89adfae405412c1 | Etherscan (Feb 15, 2023)
  53. Known Approval Address 0x92557b6ffa116b53cf2c3bc1d6d33f78d97ed4c9 | Etherscan (Feb 15, 2023)
  54. 54.0 54.1 Convex Finance - "Investigation is still ongoing, but...5 addresses seem to have approved malicious contracts" - Twitter (Aug 24, 2022)
  55. 55.0 55.1 55.2 Theft of 15,968.95655 cvxCRV - Etherscan (Feb 23, 2023)
  56. 56.0 56.1 56.2 Theft Of 433.3936 CRV - Etherscan (Feb 22, 2023)
  57. @ConvexFinance - "An alternate domain has been set-up as a precaution for Convex users." - Twitter (Aug 24, 2022)
  58. Convex Finance Suffers From DNS Attack - CoinCu (Jul 21, 2023)
  59. Harold Nguyen - Twitter (Oct 10, 2022)
  60. @0xLlam4 - "on TG, can add you into a group with affected protocols" - Twitter (Feb 27, 2023)
  61. 61.0 61.1 61.2 CryptoCondom - "A multi-platform DNS exploit appears to have occurred this week w/illicit vanity contracts" - Twitter (Apr 1, 2023)
  62. Nalin Gupta - "4 DeFi projects have experienced a DNS hijack attack" - Twitter (Apr 1, 2023)
  63. Nalin Gupta - "It does seem some others might be affected tho[ugh]" - Twitter (Apr 1, 2023)
  64. idclickthat - "crypto phish" - Twitter (Apr 1, 2023)
  65. TommyBeFamous - "So far 4 #ethereum DeFi projects experienced a DNS hijack attack." - Twitter (Mar 24, 2023)
  66. @ConvexFinance - "it is recommended that all users who've interacted with the Convex website in the past week review their approvals" - Twitter (Aug 23, 2022)
  67. NameCheap - "There is nothing to worry about; we keep investigating" - Twitter (Apr 1, 2023)
  68. 68.0 68.1 Known Approvals From Convex Finance - Pastebin.com (Aug 24, 2022)
  69. 69.0 69.1 Convex Finance - "the addresses on this list (linked below) are suspected of having approved malicious contracts" - Twitter (Aug 24, 2022)
  70. Domain Vault Page on June 24th, 2022 - Namecheap (Feb 13, 2023)
  71. Domain Vault Page on June 25th, 2022 - Namecheap (Feb 13, 2023)
  72. @ConvexFinance - "Important Update on Medium regarding the DNS hijacking events last weekend." - Twitter (Feb 18, 2023)
  73. Domain Vault Page on July 1st, 2022 - Namecheap (Feb 13, 2023)
  74. Domain Vault Page on July 2nd, 2022 - Namecheap (Feb 13, 2023)
  75. DeFiSaver - "Same as with others, strong passwords and 2fa were used and we don't recognise security factors on our end that could have led to this." - Twitter (Mar 23, 2023)
  76. DefiSaver - "We certainly did use 2FA, as mentioned and as did other teams." - Twitter (Mar 23, 2023)
  77. 77.0 77.1 Vanity Phishing Smart Contract 0xF403...AE31 - Etherscan (Dec 7, 2o23)
  78. Stefan Patatu - "What are vanity addresses?" - Twitter (Jul 21, 2023)
  79. DegenSpartan - "a fear that i still have is just simply going through the motions and trusting that the front end is sending the correct, rather than a tampered or malicious, data payload for me to sign off on and broadcast to the chain" - Twitter (Jul 21, 2023)
  80. Transaction Creating 0xdd49....c82b - Etherscan (Feb 27, 2023)
  81. Transactions By Wallet 0x56d3...49c8 (Fake_Phishing5851) - Etherscan (Dec 27, 2023)
  82. Address 0x4e12...899a Who Created 0xf403...ae31 - Etherscan (Dec 28, 2023)
  83. Convex Finance Tokens Received By Convex & Ribbon Phisher - Etherscan (Dec 28, 2023)
  84. 84.0 84.1 Token's Received and Sent By The Attacker's Wallet - Etherscan (Feb 23, 2023)
  85. 0xLlam4 - "on TG, can add you into a group with affected protocols" - Twitter (Feb 27, 2023)
  86. flubdubster - "You called them out…here is their response You tried to safe some bucks…don’t blame them. It’s obvious that major DeFi products shouldn’t take the free plan. Don’t blame, own." - Twitter (Aug 24, 2022)
  87. flubdubster - "Is it true an additional 20$/month bill could have prevented this tweet?" - Twitter (Aug 24, 2022)
  88. flubdubster - "They were on the free plan. A mere 20 bucks / month would have prevented this attack." - Twitter (Aug 24, 2022)