Pendle finance domain hijacked, recovered. Funds secure

Introduction

Hackers are trying all forms of tricks to take over crypto platforms and steal funds. We are almost getting used to daily or weekly news of one platform being broken into. This time around, it is Pendle Finance. Intruders hijacked the domain of this defi platform. Their ultimate goal would always be to find a way of gaining access to wallets and stealing whatever they could lay hands on.

The Hijack and Recovery

Using its X account, Pendle Finance announced that their domain was hijacked and they are putting the platform offline in order to contain the risks from the attack. Below is what they said about the breach:

Due to a hijacking of the Pendle domain, we have taken down the website. Please refrain from using the app, until further notice. Team is working on securing the site. Rest assured, the protocol is unaffected, and your funds are safe. source

The security team of Pendle Finance sprung into action immediately they noticed the hijack. They worked many hours to return the website online while also ensuring that user funds are safe. Around 10 hours after the initial announcement and shutdown of the Pendle Finance website, the protocol announced again that the domain has been successfully recovered. However, any users visiting the site is warned to first confirm that they are visiting the correct domain in order to avoid further attacks like a phishing attack. Below is a follow up of the update released by Pendle:

The Pendle domain has been secured. Ensure that the address bar is showing https://app.pendle.finance.
Rest assured the protocol itself remains unaffected, and funds are safe. source

Now that the hijacked domain is back in safe hands, user must be wary of the address they are visiting. When typing the website address, it is important that users note the spellings carefully to ensure they are not redirected to a phishing clone of the Pendle website. In order to be sure of this, the security team recommended strongly that users clear their browser cache so that any old domains saved in memory would be cleared. This way, they will make sure they are on the right website.

Getting into a little detail - plus recommendations

Pendle later released a more detailed statement time-stamped to help its users understand the origin and nature of the attack and how its team worked hard to guarantee security of funds and platform. They mentioned that a third-party domain registration service bought the domains from Google. The registrar is Squarespace and that is the source of the intrusion. In essence, this is not an attack specific to Pendle. All domains registered through Squarespace are vulnerable in this breach.

So the hijackers penetrated Squarespace through a backdoor, thus having access to domains under the registrar. Then later, the intruders started attacking some domains in Squarespace of which Pendle was one. But ahead of this event, Pendle security team already were alert to any changes that would happen to its Domain Name Servers. When the intruders added the malicious DNS, Pendle shut down it site to protect users funds. Later, after the team had removed the new DNS and kicked out the intruders, the domain was recovered and brought back online.

Although the protocol is safe now, Pendle is still taking extra precautionary measures to ensure that none of its users loose their assets. So users are encouraged to cancel all smart contracts already activated before or during this attack until the full investigation of this breach is completed. Here is what they said:

With user security being our #1 Concern, we recommend all users to temporarily revoke approvals to our contract until we further investigate the recent compromise. source

Why do intruders attempt to hijack domains?

Hijackers of domains are intruders whose main intent is to steal sensitive data stored on the site. In the case of defi platforms like Pendle, the intruders try to gain access to any users that connected their wallets to the protocol. If they succeed in getting the seed phrases of the defi wallets connected, they steal the funds. They might try to also edit smart contracts connected to the system. Whichever one they succeed in doing, they try to steal funds connected to the platform.

So in cases of domain hijacking like this one, it is important to cancel all pending transactions made earlier. Since the platform is defi, it has to do with a lot of smart contracts. So users are expected to revoke smart contracts just in case the hijackers were able to penetrate any smart contracts. Also, it is important to confirm that the URL or domain of the website is not redirecting to a phishing website. So before connecting any web3 wallets like Metamask, the visitor should be sure of the address this is on the address bar.

Finally

Intruders are on the loose trying to break into secure systems. While admins are doing their best to secure funds and data, users need to be wary of attempts to steal their assets. Cross-checking URLs is a sure way to avoid phishing attacks. It is important not to click links from strangers too. Phishing attacks through emails are common as well as fake airdrops. One need to be aware of all the many ways attackers try to steal and always be alert to protect valuable assets from intrusion.

note: thumbnail is mine

Posted Using InLeo Alpha