Kelp DAO DNS Hijacking Attack
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Kelp DAO provides a utility to allow investors to earn a return on staked assets and liquidity provided from their assets. On July 22nd, an individual was able to successfully convince GoDaddy customer support that they were the owners of the Kelp DAO, causing the DNS settings for the domain to be changed to a new server they controlled. This server mimicked the official Kelp DAO website and requested users to sign malicious transactions which would drain funds from their wallets. Several users were affected. It is unclear what the Kelp DAO plans to do, however they have provided contact information for users to reach out to them.[1][2][3][4][5][6][7][8]
About Kelp DAO
"Liquid restaking with rsETH" "rsETH is a Liquid Restaked Token (LRT) issued by Kelp DAO designed to offer liquidity to illiquid assets deposited into restaking platforms, such as EigenLayer. It aims to address the risks and challenges posed by the current offering of restaking"
"Kelp DAO was founded by Amitej G and Dheeraj B, who have previously founded Stader Labs, a multichain liquid staking platform with $350M+ in TVL. The team is focused on building Liquid Restaking Solutions for public blockchain networks."
"Restakers stake their LST to mint rsETH tokens indicating fractional ownership of the underlying assets
rsETH contracts distribute the deposited tokens into different Node Operators that operate with the Kelp DAO
Rewards accrue from the various services to the rsETH contracts. The price of rsETH token assumes the underlying price of the various rewards and staked tokens
Restakers can swap their rsETH tokens for other tokens on AMMs for instant liquidity or choose to redeem underlying assets through rsETH contracts
Restakers can further leverage their rsETH tokens in DeFi"
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"On July 22, 2024, Kelp's DApp began displaying malicious wallet activity transactions aimed at draining funds."
| Date | Event | Description |
|---|---|---|
| July 22nd, 2024 9:30:00 AM MDT | Reported First Malicious Activity | The reported start of the malicious activity showing up in the Kelp DAO. |
| July 22nd, 2024 11:19:00 AM MDT | Twitter Notice Posted | The Kelp team posts a notice on Twitter to recommend against interacting with their DAPP. |
| July 22nd, 2024 6:16:00 PM MDT | User Interface Restored | The user interface is reported to be fully restored. |
| July 28th, 2024 5:23:32 AM MDT | Kelp Blog Update Posted | The Kelp team posts an update to their blog with a postmortem of the attack and how it occurred. They provide a link for anyone affected to reach out to them. |
Technical Details
"The attackers gained access to Kelp’s domain registrar account impersonating Kelp team and successfully convinced GoDaddy’s customer support that they were the legitimate owners of the account bypassing the 2-FA that was in place."
"The attackers gained access to Kelp’s domain registrar account impersonating Kelp team and successfully convinced GoDaddy’s customer support that they were the legitimate owners of the account bypassing the 2-FA that was in place. These attacks are very similar to the recent DNS hijacking that we had seen with several other crypto protocols over the last month.
It is appalling to note that the Kelp team was not intimated even once when all security restrictions were bypassed by GoDaddy customer support. We are working with GoDaddy to understand further details around the situation."
Total Amount Lost
The total amount lost is unknown.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Kelp's engineering team evaluated the situation and identified the root cause to be faulty nameservers routing users to different application code that was attempting to trick the users into phishing."
"The Kelp team immediately posted an update on Twitter, TG and Discord channels asking users to not interact with the dApp until more details emerged. Upon the first incident report, our engineering team evaluated the situation and identified the root cause to be faulty nameservers routing users to different application code that was attempting to trick the users into phishing.
Within 30 minutes after the first report, our team got GoDaddy to lock the owning account from making further changes. More information was provided to GoDaddy to authenticate ownership and gain access to ownership of the account.
Within 4 hours from the time the incident was reported, GoDaddy had restored ownership access at which point Kelp team promptly restored settings to make Kelp dApp accessible to users again. At 7:30 PM UTC the same day, Kelp dApp began to offer the correct functionality. We began to gradually let users know that the dApp was safe to use again while constantly monitoring all through. The issue was fully resolved by 8:30 PM UTC, 5 hours from the time the incident was first reported."
"We have received a few reports from users on funds lost because of this UI attack. If you are a user affected, please enter your details here so our team can work with you to support you better."
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Aug 15, 2024)
- ↑ Kelp dApp UI attack | Post mortem | by Kelp DAO | Jul, 2024 | Medium (Accessed Aug 15, 2024)
- ↑ https://kelpdao.xyz/ (Accessed Aug 15, 2024)
- ↑ Introduction | Kelp (Accessed Aug 15, 2024)
- ↑ @KelpDAO Twitter (Accessed Aug 15, 2024)
- ↑ @KelpDAO Twitter (Accessed Aug 15, 2024)
- ↑ @KelpDAO Twitter (Accessed Aug 15, 2024)
- ↑ x.com (Accessed Aug 21, 2024)