Decentralized finance (DeFi) users were alerted yesterday to a novel scam vector, in which scammers take over the websites of abandoned projects in order to lure former users into signing malicious “drainer” transactions.
The warning came from 0xngmi, the pseudonymous founder of analytics platform DeFiLlama, who confirmed that expired domains were being removed from the platform and its browser extension, but urged users to exercise caution, nonetheless.
Read more: Compound Finance and Celer Network websites compromised in ‘front-end’ attacks
This passive tactic differs from more common scamming methods, which usually require active participation from the scammers themselves. In taking over a legitimate URL, the scam relies on former users coming back to interact with familiar websites (likely bookmarked, if following best practices), to remove funds that had previously been deposited when the project was still active.
With no team remaining to alert to the security breach or replace the malicious interface, there’s little to be done about these well-laid DeFi website traps other than carefully checking any transaction to be signed.
One Maker/Sky community member points out that the official domain name of now-defunct Maker sub-DAO Sakura is currently available for just a penny.
Read more: Maker DAO drama flares amid proposal to tackle ‘governance attack’
What are front-end attacks?
As opposed to closed-source centralized crypto exchanges, DeFi protocols run directly on blockchains such as Ethereum or Solana.
The vast majority of users interact with DeFi protocols via the project’s website, or front-end, a user-friendly interface that crafts transactions to be signed via a crypto wallet. It’s technically possible to craft transactions using other tools, including block explorers like Etherscan, but this is uncommon.
Unsurprisingly, the front-ends themselves are an attack vector for would-be hackers. A common approach, which led to a wave of incidents last summer, is to compromise the official site via social engineering of DNS providers.
The sites are typically cloned, but the transactions presented to the user are altered to, for example, grant token approvals or send funds directly to the attacker.
A simpler tactic involves a similar cloning of legitimate sites, but hosting them via similar-looking URLs or obfuscated, or “spoofed”, hyperlinks on X or Google.
Read more: Every UK MP hacked on X since Elon Musk took control
Of course, some front-end losses aren’t scams at all. Rather, they’re vulnerabilities in the site’s code that can be exploited by hackers. This was the case in Friday’s $2.6 million mishap on DeFi lending platform Morpho, which was fortunately front-run by well-known MEV bot c0ffeebabe.eth.
Front-end attacks — the tip of the iceberg
Such attacks, which generally target individual users, are different from other threats facing users of DeFi platforms, such as exploits of the smart contracts themselves and private key compromises. These often lead to larger losses when the assets hosted within the projects’ contracts are drained all at once.
Just this week, both of these types of incidents have led to significant losses. Just yesterday, ZKsync announced that $5 million of ZK tokens left over from the project’s airdrop had been snaffled, after a 1-of-1 multisig appears to have been compromised.
On Monday, decentralized perps exchange KiloEx lost $7.5 million due to a vulnerability in the project’s price oracle.
Another risk comes from the teams themselves, who often control enormous quantities of their project’s token. As we’ve seen in the past few days, teams can withdraw liquidity at a whim or sell tokens OTC, which can result in wild price swings when leveraged positions on overvalued tokens blow up, or even get hacked themselves.
Read more: MANTRA CEO says ‘reckless’ exchanges caused OM token collapse
A final threat from within comes from malicious team members, be they North Korean infiltrators or simply a ‘nefarious developer’, as The Roar claimed after approximately $780,000 went missing out of a backdoor earlier today.
