On August 10, 2022, Beijing time, public opinion monitoring of the Chengdu Lianan Hawkeye-Blockchain Security Situational Awareness Platform showed that the decentralized financial protocol Curve Finance was suddenly attacked by DNS hijacking!
After the attack, Curve tweeted to confirm that the Curve.fi domain name server was stolen, and warned users to cancel the 0x9eb5f8e83359bb5013f3d8eee60bdce5654e8881 contract on Curve and temporarily use curve.exchange.
This morning, Binance founder Zhao Changpeng tweeted about Curve being hacked and said: Curve uses GoDaddy as DNS is not safe, and any Web3 project should not use it, because it is very vulnerable to social engineering.
DNS hijacking attacks are indeed relatively rare in the Web3.0 field. What security enlightenment does this incident give us, and what impact will it have on the ecological security of the Web3.0 blockchain?
1 What is a DNS hijacking attack?
DNS, the full name is Domain Name System Domain Name System.
We know that the main function of DNS is to translate the domain name into an IP address for the computer to recognize, so that we can directly access the corresponding server by entering the domain name. Therefore, in the entire network access process, the role of DNS is very important.
However, if the attacker tampers with the DNS resolution settings and points the domain name from a normal IP to an illegal IP controlled by the attacker, it will cause us to access the domain name to open an unreachable or fake website instead of the corresponding website. The means is DNS hijacking.
2 How DNS Hijacking Attacks Hacked Curve Finance
Curve Finance is a decentralized finance (DeFi) protocol that offers "extremely efficient" stablecoin transactions with low slippage and fees. It is considered the backbone of the DeFi ecosystem, with over $6 billion in total value locked.
This time Curve Finance encountered a DNS hijacking attack due to the domain name registrarhttp://iwantmyname.comThe system was damaged, the name server of curve was tampered with the dns server controlled by the hacker, and the traffic of curve.fi was redirected to the hacker's server 5.199.174.238 and 87.120.37.46.
At the same time, the malicious dns server deployed by the attacker is the ip of the two malicious web servers, which probably have dns and web services on it at the same time, thus causing the malicious contract interaction of 0x9eb5f8e83359bb5013f3d8eee60bdce5654e8881 controlled by hackers to unknowing curve.fi users .
On-chain data shows that malicious contracts related to the bug appear to have stolen USDC and DAI from eight different victims. The funds have been transferred to the attacker's wallet and exchanged for ETH tokens, which were then sent to the cryptocurrency exchange FixedFloat.
3 Analysis of whereabouts of stolen funds in this incident
As of the publication, the security team of Chengdu Lianan used the Lianbizhui-Virtual Currency Intelligent Research and Judgment Platform to monitor, track and analyze the stolen funds address, and found that the Curve hacker address 0x50f9202e0f1c1577822BD67193960B213CD2f331 had transferred funds through Tornado Cash, which was only hacked yesterday. Sanctions by the U.S. Treasury Department.
The total loss caused by this incident was approximately $770,000, including $200,000 frozen by the FixedFloat exchange.
4 How to prevent the "fancy tricks" played by hackers in Web3.0
However, this morning, Curve Finance tweeted that the curve.exchange exchange does not appear to be affected by the attack because it uses a different Domain Name System (DNS) provider. Curve pointed out that DNS server provider Iwantmyname was likely hacked and added that they have changed their nameservers and that the issue has now been resolved and users will be directed to rescind their contracts in the near future.
The security team of Chengdu Lianan hereby reminds everyone: Before confirming the transaction, first determine the address of the contract to be interacted with, such as the label of the address and the past interaction history of the address.
