Emerging Scam in Decentralized Finance (DeFi)
Users in the decentralized finance (DeFi) sector received a warning recently about a new type of scam. Scammers are reportedly taking over the websites of abandoned projects, tricking former users into signing harmful “drainer” transactions. This alert was issued by 0xngmi, the anonymous creator of the analytics platform DeFiLlama. He confirmed that outdated domains were being systematically removed from the platform and its browser extension while advising users to remain vigilant. “I’ve noticed that scammers have started buying old abandoned DeFi domains to replace the frontend with drainers, so if you’re going to some dead DeFi project to withdraw money you forgot about, be careful,” 0xngmi stated.
Understanding the Nature of Front-End Attacks
This deceptive method stands apart from typical scams, which usually involve direct engagement from scammers. By hijacking a legitimate URL, these fraudsters exploit the tendency of former users to revisit familiar sites—often ones they had saved as bookmarks—to withdraw previously deposited funds. With no active team available to warn users about the security breach or to restore the compromised interface, the only safeguard is for users to meticulously scrutinize any transaction they attempt to sign. A community member from Maker/Sky highlighted that the domain of the now-defunct Maker sub-DAO, Sakura, is currently up for grabs for just a penny.
What Constitutes Front-End Attacks?
Unlike centralized exchanges that keep their code private, DeFi protocols function directly on blockchains like Ethereum or Solana. Most users interact with these protocols through the project’s website, or front-end, which offers a user-friendly interface to create transactions that require approval via a crypto wallet. Although it’s technically feasible to generate transactions using alternative tools—such as block explorers like Etherscan—this practice is rare. Consequently, front-ends become a prime target for potential hackers. A widely used tactic involves compromising the official site through social engineering attacks on DNS providers, which often leads to cloned sites presenting altered transactions that could, for instance, grant token approvals or redirect funds to the scammer. Another simpler method involves mimicking legitimate sites, utilizing similar-looking URLs or misleading hyperlinks to deceive users.
Distinguishing Between Scams and Vulnerabilities
It’s important to note that not all losses associated with front-ends are due to scams; some arise from vulnerabilities within the site’s code that hackers can exploit. A recent incident on the DeFi lending platform Morpho cost $2.6 million, though it was fortunately mitigated by a well-known MEV bot, c0ffeebabe.eth, who intervened before the full impact could be realized.
Front-End Attacks: A Small Part of a Larger Issue
These front-end attacks primarily target individual users and differ significantly from other risks associated with DeFi platforms, such as smart contract exploits and private key breaches. The latter scenarios often result in more extensive financial damage as assets held within project contracts can be drained in one fell swoop. Recently, ZKsync reported a loss of $5 million in ZK tokens from its airdrop, seemingly due to a compromised multisig wallet. Additionally, the decentralized exchange KiloEx faced a loss of $7.5 million from a price oracle vulnerability. Another source of risk comes from project teams themselves, who may control significant amounts of their own token. As demonstrated in recent days, teams can withdraw liquidity or sell tokens over the counter, leading to volatile price fluctuations, particularly when leveraged positions on overvalued tokens collapse.
The Internal Threat
There’s also the potential danger posed by malicious team members, whether they are outsiders with ulterior motives or rogue developers. A recent incident reported by The Roar highlighted the disappearance of around $780,000 through a backdoor, attributed to such nefarious actions.
