DNS Attack Highlights Vulnerabilities in Web3 Protocols
On July 11, a significant domain name system (DNS) attack targeted multiple Web3 protocols, with early analysis suggesting that the incident may have stemmed from a flawed migration process between Google Domains and Squarespace. Experts in the field believe that the emergence of tokenized web domains could greatly mitigate the likelihood of such attacks in the future.
On the day of the attack, blockchain investigator ZachXBT reported that the website for Compound Finance redirected users to a fraudulent phishing site aimed at stealing their tokens. By later that same day, Celer Network confirmed that its site had also fallen victim to the attack, although it was fortunate enough to detect and thwart the malicious activity before any harm was done.
According to a report from the blockchain security firm Blockaid, the attack appeared to be linked to projects hosted on Squarespace, indicating a potential vulnerability within the domain registration system used by Squarespace.
In an interview with Cointelegraph on July 12, Matt Gould, the founder of the tokenized domain protocol Unstoppable Domains, postulated that the attack might have been facilitated by users transitioning from Google Domains to Squarespace. This transition could have rendered these users susceptible to phishing attacks. He explained, “Currently, if you’re a Google Domains customer needing to migrate to Squarespace, you must create a new account. This makes you an easy target for phishing campaigns, where attackers might claim, ‘You need to set up your new Squarespace account. Time is running out. Click here.’”
Victor Zhou, the founder of tokenized domain protocol Namefi, shared a similar perspective in a post on X, suggesting that the attacks likely occurred because projects were registered with Google Domains. He noted that after Google sold its domain business to Squarespace a few months prior, the migration process inadvertently disabled multi-factor authentication (MFA), making it easier for attackers to gain access using only a password.
A report from the cybersecurity firm Security Alliance corroborated the theory that a problematic migration process was to blame for the hack. They suggested that Squarespace might have automatically assigned the corresponding domains to the Google email addresses of their owners, allowing users immediate access after creating a new account on Squarespace. However, due to the lack of email verification for new accounts created via password, attackers could log in using just the email linked to the Google Domains account. Security Alliance speculated that this oversight occurred because Squarespace administrators presumed that users migrating from Google would use the “Continue with Google” login method, failing to consider that a threat actor could create an account using an email linked to a recently migrated domain.
Cointelegraph reached out to Squarespace for a statement but did not receive a response before publication.
Gould proposed that future attacks of this nature could be avoided if Web3 protocols were to tokenize their domains and manage them on a blockchain. He explained, “By placing domains on-chain, any updates to your DNS settings would require the customer to sign a message with their key. This additional security step would make phishing attacks virtually impossible, as it would necessitate compromising both the Squarespace account and the user’s wallet.” He also suggested implementing a two-of-three multisignature requirement, where at least two team members must authorize any changes to DNS settings. A more radical approach would involve placing the web registrar itself on-chain, allowing seamless transitions between providers without the need for users to create new accounts.
Zhou echoed the sentiment that tokenized domains could help thwart such attacks. He asserted, “Tokenized domain names offer the potential for enhanced security measures through their programmable ownership. They allow for Threshold Signature Signing, which enables multiple users to collaboratively manage the domain.” Unlike non-tokenized domains, where multi-factor authentication can be easily disabled, tokenized domains ensure that MFA is managed by the domain owner rather than an intermediary like Squarespace. Additionally, they can incorporate a “social recovery mechanism” in case a domain owner loses access to their private key.
Zhou believes that tokenized domains establish a far superior foundation for implementing advanced security measures compared to the centralized systems currently in use.
However, Nick Johnson, the founder of the tokenized domain protocol Ethereum Name Service (ENS), cautioned that blockchain-based registry systems are not a panacea for all security challenges. In a conversation with Cointelegraph, he stated, “While tokenized domains can simplify protection against user-end risks, they cannot shield against issues originating from the provider, as seen in the Squarespace incident. If a provider is compromised, it could circumvent all associated security measures.” While he acknowledged that tokenizing domains presents numerous advantages, he emphasized the importance of exercising caution when selecting who to trust with critical organizational assets.
Johnson noted that most providers of tokenized domains likely prioritize security more than average, which may contribute to the perception of increased safety. Nevertheless, this does not inherently guarantee greater security. One of the main benefits of tokenizing domains is the ability for owners to register Ethereum usernames easily. For instance, through a partnership between ENS and GoDaddy, domain owners can create Ethereum usernames simply by checking a box and entering the desired address.
According to GoDaddy’s help resources, a significant advantage of having an Ethereum username is the ability to receive payments directly to the domain name itself, eliminating the need to provide users with a separate Ethereum address for transactions.
The threat of DNS attacks continues to loom over crypto users. Just 12 days after the incidents involving Compound and Celer, the crypto exchange dYdX experienced its own v3 user interface hijacking, where an attacker inserted a malicious application into the exchange’s wallet connection function, further illustrating the vulnerabilities in the sector.
