Ether.fi Domain Name Failed Takeover Attempt

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ether Finance Logo/Homepage

ether.fi is a liquid restacking token which allows Ethereum to be staked and also used for other services in the ecosystem. ether.fi reports an attempt was made to take over their domain name, however this was successfully prevented through the use of hardware-based devices and previous contact with the domain registrar. The attack was not successful and the ether.fi domain name remained within the team's control.[1][2][3][4][5]

About Ether Finance

Ether.fi is a decentralized finance (DeFi) platform focused on maximizing the utility of digital assets through staking, liquidity strategies, and crypto-enabled spending solutions. Its core mission is to empower users by giving them full control over their crypto while enabling them to save, grow, and spend within a robust, secure, and composable ecosystem. The platform currently boasts a total value locked (TVL) of over $6.88 billion, with several high-yield options such as 3.4% for staking, 9% from liquidity vaults, and 3% cashback through its crypto credit card.

Staking is the foundation of ether.fi’s offerings. Users can stake ETH, BTC, or stablecoins via value-accruing restaking tokens like weETH, eBTC, and eUSD. These allow holders to earn rewards while retaining liquidity and exposure to the underlying assets. Security is a top priority, with the platform being decentralized, audited, and battle-tested. The protocol is open source and supported by top-tier DeFi integrations including Aave, Pendle, and Gearbox.

The Liquid product automates yield strategies through smart vaults that auto-balance and compound returns across DeFi’s best-performing protocols. Users can choose vaults tailored to their asset types or risk profiles, maximizing returns with minimal management.

Ether.fi Cash introduces a non-custodial credit card with 3% cashback on all purchases. It integrates seamlessly with Apple Pay and Google Pay, offering global usage at over 100 million locations. This card is part of the platform’s goal to bridge DeFi with real-world utility.

The Reality

"In weeks prior, there was an increase in exploitation of [domain registrar] attack vectors observed with other protocols. We preemptively upgraded our key platforms to require hardware authentication as an authentication method"

What Happened

"On September 24, ether.fi experienced a security incident involving its domain registrar, Gandi.net, resulting in the [attempted] compromise of the ether[.]fi domain."

Key Event Timeline - ether.fi Domain Name Failed Takeover Attempt
Date Event Description
September 24th, 2024 10:38:00 AM MDT Account Recovery Notification The ether.fi team reports receiving an account recovery notification from the registrar Gandi.net.
September 24th, 2024 1:30:00 PM MDT No Actual Attack Confirmed "Gandi was contacted on multiple platforms. At approximately 19:30 UTC it was confirmed that ether.fi’s account had been successfully locked to prevent further tampering and the nameserver config restored. There is a comprehensive analysis of external and internal systems in progress, and as of now there are no traces of an internal breach observed."
September 24th, 2024 6:20:53 PM MDT ether.fi Notice Posted The ether.fi team posts a public announcement about the attempted attack on their gitbook.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

No funds were lost.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"Gandi’s monitoring systems and process, while aggressive, locked down the domain account and prevented any access to our systems, and kept our websites, apps and emails safe from the attempted attack"

"Gandi was contacted on multiple platforms. At approximately 19:30 UTC it was confirmed that ether.fi’s account had been successfully locked to prevent further tampering and the nameserver config restored. There is a comprehensive analysis of external and internal systems in progress, and as of now there are no traces of an internal breach observed."

Ultimate Outcome

"More details of the incident will be shared as they become available in collaboration with Gandi's team over the next two days. Thank you to the Seal911 team, Doppel, Ethena and Distrust our security partner - teams that instantly responded and provided assistance as we navigated the dangerous waters today.

We’re glad to report that all funds are safe, and no opportunity was given to the attackers to present a compromised dapp on any ether.fi related domain."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Sep 24: Incident - attempted domain account takeover (Accessed Oct 25, 2024)
  2. Etherfi (Accessed Oct 25, 2024)
  3. Etherfi (Accessed Oct 25, 2024)
  4. Getting Started (Accessed Oct 25, 2024)
  5. Introduction (Accessed Oct 25, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ether.fi_Domain_Name_Failed_Takeover_Attempt&oldid=6861"