Two prominent crypto projects have fallen victim to exploitation, raising concerns that numerous others may also be at risk. This incident stems from the disabling of two-factor authentication (2FA) for projects that utilize Google Domains during their transition to Squarespace.
### Recent Exploits Raise Alarm Over Security
On July 11, 2024, security experts disclosed that the recent hacks targeting Compound Finance and Celer Network’s front-end domains indicated that at least 124 additional domains could also be vulnerable. This vulnerability arises from these domains being registered with the website-building platform Squarespace. Compound Finance, a leading decentralized finance protocol with nearly $2.2 billion in total locked value, is currently hosting a phishing site, according to Michael Lewellen, the head of solutions architecture at OpenZeppelin. He urged users to refrain from interacting with the website until further notice. In a related event, an attacker, potentially the same individual or group, attempted to seize control of Celer Network’s front-end domains. The Celer team reported that they successfully thwarted the takeover and noted that their investigation suggested involvement from third parties beyond their control.
### Insight from Security Experts
In a discussion with Unchained, Ogle, the founder of the blockchain network Glue and a noted white-hat hacker, indicated that the exploitation of Compound Finance and Celer Network was facilitated by their choice to host their front-end websites on Squarespace. He explained that Compound Finance is currently compromised to the extent that users could be phished through altered links. Phishing is a deceptive practice where attackers trick individuals into revealing sensitive information or downloading harmful software.
### Caution Advised for Users
In light of the ongoing domain compromises, Compound Finance has issued a warning against visiting their website. Engaging with the site or any associated links poses significant risks to users. The at-risk websites were originally hosted on Google Domains; however, Squarespace completed its acquisition of Google Domains in September 2023. According to Ogle, the recent exploits are “almost certainly” attributable to the migration process, during which 2FA was disabled. He noted, “While Compound Finance likely had 2FA enabled on Google, the switch to Squarespace removed that security feature.”
### Growing List of Vulnerable Protocols
As the situation unfolds, the number of crypto protocols potentially affected may increase. The pseudonymous founder of DefiLlama, who goes by @0xngmi, highlighted that 124 additional front-end domains of notable crypto protocols are utilizing Squarespace. These include Pendle Finance, Hyperliquid, dYdX, Nostra Finance, Axelar Network, Polymarket, Thorchain, Aptos Labs, NEAR, and Safe. A representative from Safe confirmed that they are also using Squarespace for their front-end website but assured that no abnormal activity has been detected and that they have systems in place to monitor for irregular changes. “Currently, we are unaffected,” the spokesperson stated, urging users to remain vigilant.
### Security Protocols Under Scrutiny
Similarly, the dYdX trading team communicated with Unchained via Telegram, asserting that their platform remains secure, with no vulnerabilities detected. They committed to ongoing monitoring of the situation. Axelar Network also reported no identified issues with its domain and plans to continue tracking developments. Despite the current state of these protocols, Ogle emphasized that the teams should remain concerned, as the situation is precarious. He advised against visiting any of these websites “under any circumstances until an official statement confirms safety.”
### Understanding Domain Security versus Protocol Integrity
It is important to differentiate between the domains of crypto projects and the actual protocols themselves. Even if a front-end domain is hijacked, users can still interact with a project’s smart contract directly without needing to go through the compromised website. Ogle explained that actions such as transferring funds on the blockchain or utilizing a bridge can occur independently of the front-end website. Therefore, even if a protocol’s domain is attacked, users do not lose access to their funds.
### Awaiting Further Developments
Representatives from Squarespace have not yet responded to requests for comments regarding the situation. As the landscape continues to evolve, users are advised to stay informed and exercise caution.
