DYdX Exchange DNS Hijacking Attack

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

dYdX Logo/Homepage

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]

About dYdX Exchange

"Perpetuals, decentralized." "Trade Perpetual Contracts with low fees, deep liquidity, and up to 25× more Buying Power. Deposit just $10 to get started."

"We built the fastest and most powerful decentralized exchange ever." "Once you deposit to Layer 2, you will no longer pay fees to miners for each transaction." "Trades are executed instantly and confirmed on the blockchain within hours." "Unlike other platforms, there is no wait required to withdraw your funds from Layer 2." "We've redesigned our exchange from the ground up, so you can use it from any device." "StarkWare's Layer 2 solution provides increased security & privacy via zero-knowledge rollups." "Access leverage across positions in multiple markets from a single account."

"dYdX is the leading DeFi protocol developer for advanced trading. Trade 135 cryptocurrencies with low fees, deep liquidity, and up to 20× buying power."

The Reality

"In 2023, Squarespace acquired the rights to all domains from the now-defunct Google Domains. All domains were migrated over a period of months. The domain dydx.exchange, owned by dYdX Trading, was migrated from Google Domains to Squarespace on June 15, 2024."

"On July 9, while registered with Squarespace, attackers gained access to the dydx.exchange domain, and modified the the DNS Nameservers from Cloudflare to DDoS-Guard. This attack was mitigated by DNSSEC settings that remained set on the registrar. This resulted in would-be-visitors’ browsers failing to authenticate the DNS changes, and correctly blocking users from viewing the page.

dYdX promptly contacted Squarespace customer service during this incident and they restored access to the account quickly according to their account-recovery policies. dYdX ensured that all passwords and 2FA were rotated on Squarespace accounts and that the attacker’s access was fully removed. The attack was completely mitigated and fixed within a couple of hours.

Two days later on July 11, several additional reports of targeted attacks on crypto-specific domains — which had been migrated from Google Domains to Squarespace — were reported. As a result, SEAL, a crypto-focused security team, put together an incident-response team to figure out what was going on, how the attack could be mitigated, and how to get any relevant information to Squarespace itself. At this point, dYdX realized that the earlier incident was likely part of a broader attack against crypto domains, and assisted the investigators. At this time, dYdX also continued to monitor the dydx.exchange domain for any suspicious activity.

On July 14, SEAL published a postmortem on the issue based on their findings, but without much direct information from Squarespace. This postmortem suggested that there were one-or-more technical vulnerabilities in Squarespace that allowed for these attacks to happen.

On July 18, Squarespace posted a longer postmortem which confirmed an exploited security issue with OAuth logins on their site. It included information that the issue was fixed on July 12.

While dYdX decided to change domain registrars, dYdX believed that Squarespace had successfully mitigated the attack and fixed the vulnerability."

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - dYdX Exchange DNS Hijacking Attack
Date Event Description
July 23rd, 2024 9:59:00 AM MDT Twitter Announcement Post The dYdX team posts on Twitter to announce that they are now aware of the hack on the dYdX domain.
July 23rd, 2024 11:48:00 AM MDT Twitter Mention Of Hack A mention on Twitter of the hacked website.
July 23rd, 2024 1:36:00 PM MDT Post About Phishing Attack A post is made which highlights the attack that took place and the phishing transaction which was requested from users.
July 23rd, 2024 1:43:00 PM MDT Website Noted Restored A tweet notes that the website has now been restored and should be safe to use, though users are warned about the potential that their device may have cached the compromised DNS settings.
July 24th, 2024 10:00:00 PM MDT PostMortem Release The dYdX Exchange releases a postmortem on the DNS Hijack attack.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

"Two users were affected, resulting in a loss of approximately $31,000."

"During the roughly 2 hours that the http://dydx.exchange domain was hijacked, 2 users lost funds totaling about $31k. dYdX Trading is in contact with those users and will ensure that they are made whole."

The total amount lost has been estimated at $31,000 USD.

Immediate Reactions

"On July 23, the dydx.exchange domain was discovered to have been compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address."

"On July 23, it was discovered that the dydx.exchange domain was compromised. The attacker changed the DNS Nameservers from Cloudflare to DDoS-Guard. The attacker also successfully removed the DNSSEC settings on the domain. dYdX immediately contacted Squarespace customer support. Squarespace was able to return possession of the domain as well as fix the DNS Nameserver resolution within a couple of hours. The recovery process was delayed for over 30 minutes due to maintenance from one of Squarespace’s third-party vendors which prevented changing the DNS Nameservers back to Cloudflare.

The attacker hosted a malicious site which requested that any connected wallets transfer ETH and other ERC20 tokens to the attacker’s Ethereum address. During this time, dYdX also worked with SEAL and other partners to ensure that popular crypto wallets like Metamask and Phantom would block the site for the duration of the attack. To our knowledge at the time of publishing, 2 users were affected with approximately $31,000 in lost funds due to this attack. dYdX trading is in contact with both affected users and is assisting in securing their wallets and is committed to recovering funds."

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Aug 30, 2024)
  2. DNS Nameserver Hijacking Postmortem (Accessed Aug 30, 2024)
  3. dYdX - Trade Perpetuals on the most powerful trading platform (Accessed Aug 30, 2024)
  4. @llamaonthebrink Twitter (Accessed Aug 30, 2024)
  5. @open4profit Twitter (Accessed Aug 30, 2024)
  6. @LawrenceChiu14 Twitter (Accessed Aug 30, 2024)
  7. @dYdX Twitter (Accessed Aug 30, 2024)
  8. @dYdX Twitter (Accessed Aug 30, 2024)
  9. @Wazzup_Crypto Twitter (Accessed Aug 30, 2024)
  10. @DerekTMcKinney Twitter (Accessed Aug 30, 2024)
  11. @TechFlowPost Twitter (Accessed Aug 30, 2024)
  12. @dYdX Twitter (Accessed Aug 30, 2024)
  13. @dYdX Twitter (Accessed Aug 30, 2024)
  14. @dYdX Twitter (Accessed Aug 30, 2024)
  15. @dYdX Twitter (Accessed Aug 30, 2024)
  16. @dYdX Twitter (Accessed Aug 30, 2024)
  17. @GoPlusSecWareX Twitter (Accessed Aug 30, 2024)
  18. @Echoeweb Twitter (Accessed Aug 30, 2024)
  19. @parrot_coins Twitter (Accessed Aug 30, 2024)
  20. @veritas_web3 Twitter (Accessed Aug 30, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=DYdX_Exchange_DNS_Hijacking_Attack&oldid=6298"