WEB3-FRONTEND-DNS-HIJACK-2022
Web3 · dApp web frontend / DNS / registrar / CDN trust boundary
Summary
A frontend hijack leaves the on-chain contracts untouched but replaces the Web2 surface serving the dApp UI with a wallet-drainer clone, so no Solidity audit can catch it. The recurring pattern: attackers take over the domain registrar or DNS provider account (or a CDN/tag-manager account), repoint the domain to a cloned site, and prompt visitors to sign malicious token approvals, EIP-2612 permit signatures, or transfers. Curve Finance was hit twice: on August 9-10, 2022 its curve.fi domain was DNS-hijacked via a compromised nameserver and drained ~$570K in USDC/DAI; and again around May 12, 2025 at the registrar level, after which Curve permanently migrated to curve.finance and announced an ENS move (Convex Finance and Resupply, which depend on Curve's data feeds, suffered dependency-driven outages but were not themselves compromised). In July 2024 a mass wave hit DeFi domains registered through Squarespace, whose forced migration off Google Domains stripped 2FA: Compound's frontend redirected to an Inferno Drainer clone and 100+ protocols were exposed (Celer blocked its takeover via domain monitoring). Ambient Finance's domain was hijacked through stolen registrar credentials on October 17, 2024. Most recently, on April 14, 2026 attackers used forged identity documents to social-engineer the registrar into handing over DNS control of CoW Swap's swap.cow.fi and cow.fi domains, redirecting users to a pixel-perfect drainer clone for about 90 minutes; over $1M was taken in roughly three hours, including 219 ETH (~$750K) from a single wallet, while CoW's contracts, backend APIs, and solver network were untouched. The same bucket includes CDN-account injections (KyberSwap's September 2022 Cloudflare/Google Tag Manager compromise, ~$265K) and BGP route hijacks that swap signed bundles for drainer code.
How to avoid it in your code
- Pin asset integrity with Subresource Integrity (SRI) hashes on all scripts and bundles so a swapped or injected script fails to load.
- Enable registrar lock and registry lock (serverTransferProhibited), DNSSEC, and hardware-key (FIDO2/WebAuthn) 2FA on registrar, DNS, CDN, and email accounts; registry lock forces out-of-band verification so a forged-document or account-takeover request cannot silently move records.
- Serve the dApp from content-addressed hosting (IPFS/ENS) with verifiable hashes so the UI does not depend on a single mutable DNS record.
- Have wallets/users verify spender contract addresses against a signed allowlist and rely on drainer detection plus transaction simulation (Blockaid/MetaMask) as a last line.
- Monitor DNS records and certificate-transparency logs for unexpected changes and alert; the protocols that survived these waves caught the takeover via monitoring.
References
- https://rekt.news/curve-finance-rekt
- https://crypto.news/curve-finance-confirms-migration-to-new-domain-after-dns-hijack/
- https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-platforms-registered-with-squarespace/
- https://crypto.news/defi-exchange-ambient-finance-recovers-domain-after-dns-attack/
- https://www.coindesk.com/tech/2026/04/14/popular-defi-platform-warns-users-to-stay-away-from-its-site-after-security-breach
- https://protos.com/cow-swap-hit-by-dns-hijack-warns-users-to-stay-clear-of-site/
Related vulnerabilities
All Web3 →- CRITICALWEB3-KILOEX-2025
On April 14, 2025 the perpetuals DEX KiloEx lost about $7.5 million across BNB Chain, Base, opBNB, and Taiko to what was reported as oracle price manipulation but was really an access-control failure. KiloEx's price feed (KiloPriceFeed.setPrices) was meant to be reachable only through a keeper-gated call chain, but the top-level MinimalForwarder.execute function was publicly callable and validated an attacker-supplied signature against attacker-supplied data, letting anyone forge a trusted call that reached setPrices and write an arbitrary price. The attacker set a market price far below true value, opened a leveraged position, then set the price far above value and closed it in the same flow, extracting fabricated profit from the vault; the sequence was repeated across all four chains, with a single transaction netting $3.12M. Reporting that framed it as flash-loan oracle manipulation was imprecise: no market liquidity was moved, the price was simply written directly through the unprotected forwarder. After KiloEx offered a 10% (~$750K) whitehat bounty and no legal action, the attacker returned essentially all of the funds by April 18, 2025.
- CRITICALWEB3-BYBIT-2025
On February 21, 2025, Bybit lost roughly $1.5 billion (about 401,347 ETH plus stETH/mETH) in the largest crypto hack to date. The root cause was a supply-chain/front-end compromise: a breached Safe{Wallet} developer machine let attackers inject malicious JavaScript into the Safe UI served from Safe's S3-backed app.safe.global front end. The code was scoped to activate only for Bybit's cold-wallet Safe (and one other contract), so when the three signers reviewed a routine cold-to-hot transfer the UI showed legitimate data while their Ledgers were sent a different payload. Signers blind-signed a delegatecall (operation=1) to an attacker contract that, executing in the proxy's storage context, overwrote storage slot 0 (the masterCopy/singleton pointer) with an attacker-controlled implementation, after which sweep functions drained the wallet. The FBI and TRM Labs attributed the theft to North Korea's Lazarus Group (TraderTraitor/APT38); funds were rapidly laundered and not recovered.
- CRITICALWEB3-RADIANT-2024
On October 16, 2024, the cross-chain lending protocol Radiant Capital lost roughly $50M (about $53M across Arbitrum and BSC) after attackers compromised the devices of at least three of its multisig signers. Initial access began September 11, 2024 via a Telegram message spoofing a trusted former contractor, delivering a ZIP with a decoy PDF that was actually a macOS application carrying INLETDRIFT backdoor malware. The malware sat between the signers' browsers and their hardware wallets, so the Safe (Gnosis) UI and Tenderly simulations displayed correct data while the signers blind-signed a malicious transferOwnership() call on the LendingPoolAddressesProvider contract; the 3-of-11 threshold was met and the attacker then upgraded the pools to a malicious implementation and drained them. Mandiant assessed with high confidence the attack was conducted by North Korea-linked UNC4736 (aka Citrine Sleet/AppleJeus), part of the Lazarus cluster. Funds were not recovered and the protocol later wound down.
- CRITICALWEB3-WAZIRX-2024
On July 18, 2024 Indian exchange WazirX lost approximately $230M (about $234.9M) from a Safe (Gnosis) 4-of-6 multisig wallet held under a custody arrangement with Liminal (five WazirX keys plus one Liminal key). The attack was a blind-signing exploit: signers reviewed benign transaction details in the manipulated Liminal interface while the payload actually signed differed, authorizing a delegatecall (function selector 0x804e1f0a) that overwrote slot0 of the Safe proxy and repointed its implementation to an attacker-controlled contract (0xef279c2ab14960aa319008cbea384b9f8ac35fc6). Once the proxy pointed to attacker logic the wallet was fully controlled without further keys, and it was drained. The theft was attributed to North Korea's Lazarus Group, later confirmed in a joint statement by the US, South Korea and Japan in January 2025. Funds were laundered via Tornado Cash; victims are being repaid through a court-approved restructuring (resumed October 2025, BitGo custody) rather than direct recovery.
- CRITICALWEB3-UWULEND-2024
On June 10, 2024, UwU Lend, an Aave-fork lending protocol on Ethereum, lost about $19.3 million, followed by a second ~$3.7 million drain on June 13, 2024 (combined ~$23 million). The root cause was flash-loan oracle manipulation of the sUSDe price feed: the custom sUSDePriceProviderBUniCatch oracle priced sUSDe as the median of 11 sources, 5 of which read instantaneous Curve pool spot prices via get_p (no TWAP/EMA smoothing) across the FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD and GHOUSDe pools. Using a roughly $3.8 billion flash loan, the attacker swapped large USDe amounts to suppress the median sUSDe price, set up positions, then reversed the swaps to inflate it, rendering their own leveraged position liquidatable and self-liquidating repeatedly to harvest base assets at favorable rates. Curve explicitly advises against using get_p spot reads for oracles. The June 13 follow-up reused collateral left from the first attack, since sUSDe was not disabled as borrowable collateral.
- CRITICALWEB3-ORBITCHAIN-2024
On December 31, 2023 (reported January 1, 2024), the Orbit Chain cross-chain bridge lost about $81.5 million when the attacker gained signing control over a majority of validators (analysts cite 7 of 10) and authorized withdrawals from the Ethereum-side vault, draining roughly 30M USDT, 10M USDC, 10M DAI, about 9,500 ETH and 231 WBTC across five transactions to fresh wallets, plus a further transaction disabling the bridge. The root cause was validator private-key/credential compromise enabling improper authorization, not a smart-contract logic flaw; the attack wallet was funded via Tornado Cash. A later statement from developer Ozys alleged that a departing security lead had arbitrarily weakened the firewall policy in November 2023 before leaving without handover, which Ozys treats as the leading access hypothesis, though the causal link remains unproven. The methodical transaction pattern led analysts and South Korean authorities to suspect North Korea's Lazarus Group, but attribution was not formally confirmed. Funds were later laundered via Tornado Cash and not recovered.