An alternative to directly exploiting smart contracts is to use front-end code or systems for profit.
The protocol that converts user-friendly URLs into IP addresses that computers can understand is known as the Domain Name System or DNS. It is essentially the internet’s version of the phone book.
DNS is a crucial part of company operations, necessitating firewall approval and preventing network administrators from throttling DNS traffic. Because of this, it has turned into a prime target for threat actors, who have successfully conducted a number of DNS-based attacks against corporate networks throughout time.
To run additional functionality on top of the primary blockchain protocols, many Web3 projects continue to rely on Web2 frameworks and technology. As a result, when trying to steal project and user funds, hackers are starting to leverage Web2 vulnerabilities as attack vectors.
From the examples of Curve Finance and KyberSwap, we can infer certain safety recommendations for the larger community.
Decentralized exchange On September 1, 2022, KyberSwap experienced a front-end exploit. This exploit was the first time the project had been attacked in five years.
According to the company’s announcement, the hackers exploited the Google Tag Manager (GTM) script to infiltrate the app’s front end. It is a Web2 vulnerability as GTM has nothing to do with KyberSwap’s smart contracts or blockchain protocol functionality. In particular, whale wallets were the primary goal of the script.
On August 9, 2022, at around 4:20 PM Eastern Standard Time, Curve Finance’s DNS record was hacked and redirected to a rogue website that was a near-exact replica of the real URL. However, the attacker inserted malicious code into this cloned copy that prompts users to approve a token for an unverified contract.
The attacker used this malicious contract to transfer the funds from the users to the hacker’s address if the user authorized that transaction.
This attack is similar to the Premint exploit, which took place on July 17 and involved injecting malicious code onto the website’s front end in an effort to trick users into setting approval for all transactions.
The hacker in this case used a malicious contract that, when interacted, would direct money to the hacker’s wallet. The malicious DNS would seek user approval for each transaction related to the deceitful contract.
The fact that this wasn’t a wallet drainer attack is also noteworthy. We can see money moving in one of the victims’ wallets that was not hit by the operation.
This exploit is another illustration of how a Web2 vulnerability could have a detrimental effect on Web3 users. Web2 infrastructure frequently has a single point of failure, which can result in severe losses, whether the attack is on Discord, Twitter, or a website.
By compromising Curve Finance DNS, the hacker directed users to a website that contained malicious code. Similar to the Premint hack, when the attacker implanted malicious code to get users to sign a SetApprovalForAll() method that transferred users’ NFTs to the exploit’s wallet.
This attack had 7 different victims in total. The funds were sent to the hacker’s wallet, swapped for Ethereum (ETH), and then forwarded to FixedFloat, Binance, and along with an additional 27 ETH to Tornado Cash.
A DNS server compromise is always easier to avoid than to fix after it has already happened. Regular users can secure the funds by refraining from clicking on dubious links, clearing their DNS cache frequently, and routinely checking their devices for malicious software.
Users that access compromised DNS servers will frequently be redirected to a homepage that is virtually impossible to distinguish from the one they intended to view. Projects should make sure they pick a secure, reliable domain management vendor because it is the responsibility of the crypto companies that offer their services to millions of users worldwide.
One more thing, if Curve’s breach had gone unnoticed for even a single day longer, the harm may have been irreparable and could have cost millions in user dollars.