Ether.fi Domain Name Failed Takeover Attempt

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ether Finance Logo/Homepage

ether.fi is a liquid restacking token which allows Ethereum to be staked and also used for other services in the ecosystem. ether.fi reports an attempt was made to take over their domain name, however this was successfully prevented through the use of hardware-based devices and previous contact with the domain registrar. The attack was not successful and the ether.fi domain name remained within the team's control.[1][2][3][4][5]

About Ether Finance

"Stake ETH, get eETH - the liquid restaking token that rewards you more across DeFi."

"ether.fi is a decentralized, non-custodial delegated staking protocol with a Liquid Staking token. One of the distinguishing characteristics of ether.fi is that stakers control their keys. The ether.fi mechanism also allows for the creation of a node services marketplace where stakers and node operators can enroll nodes to provide infrastructure services."

"In weeks prior, there was an increase in exploitation of [domain registrar] attack vectors observed with other protocols. We preemptively upgraded our key platforms to require hardware authentication as an authentication method"

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"On September 24, ether.fi experienced a security incident involving its domain registrar, Gandi.net, resulting in the [attempted] compromise of the ether[.]fi domain."

Key Event Timeline - ether.fi Domain Name Failed Takeover Attempt
Date Event Description
September 24th, 2024 10:38:00 AM MDT Account Recovery Notification The ether.fi team reports receiving an account recovery notification from the registrar Gandi.net.
September 24th, 2024 1:30:00 PM MDT No Actual Attack Confirmed "Gandi was contacted on multiple platforms. At approximately 19:30 UTC it was confirmed that ether.fi’s account had been successfully locked to prevent further tampering and the nameserver config restored. There is a comprehensive analysis of external and internal systems in progress, and as of now there are no traces of an internal breach observed."
September 24th, 2024 6:20:53 PM MDT ether.fi Notice Posted The ether.fi team posts a public announcement about the attempted attack on their gitbook.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Gandi’s monitoring systems and process, while aggressive, locked down the domain account and prevented any access to our systems, and kept our websites, apps and emails safe from the attempted attack"

"Gandi was contacted on multiple platforms. At approximately 19:30 UTC it was confirmed that ether.fi’s account had been successfully locked to prevent further tampering and the nameserver config restored. There is a comprehensive analysis of external and internal systems in progress, and as of now there are no traces of an internal breach observed."

Ultimate Outcome

"More details of the incident will be shared as they become available in collaboration with Gandi's team over the next two days. Thank you to the Seal911 team, Doppel, Ethena and Distrust our security partner - teams that instantly responded and provided assistance as we navigated the dangerous waters today.

We’re glad to report that all funds are safe, and no opportunity was given to the attackers to present a compromised dapp on any ether.fi related domain."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Sep 24: Incident - attempted domain account takeover | ether.fi (Accessed Oct 25, 2024)
  2. Etherfi (Accessed Oct 25, 2024)
  3. Etherfi (Accessed Oct 25, 2024)
  4. Getting Started | ether.fi (Accessed Oct 25, 2024)
  5. Introduction | ether.fi (Accessed Oct 25, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ether.fi_Domain_Name_Failed_Takeover_Attempt&oldid=6263"