Rongchai Wang Jul 26, 2024 03:41
dYdX's domain suffered multiple DNS hijacking attacks due to vulnerabilities in Squarespace's OAuth and account recovery protocols, highlighting broader security concerns.
dYdX, a prominent decentralized trading platform, recently faced multiple DNS hijacking incidents impacting its domain dydx.exchange. These attacks have raised significant concerns about the security protocols of domain registrars and the broader implications for the crypto industry.
Background
In 2023, Squarespace acquired the rights to all domains from the now-defunct Google Domains, migrating them over several months. The dydx.exchange domain was transferred on June 15, 2024. However, on July 9, attackers managed to gain access to this domain, changing its DNS Nameservers from Cloudflare to DDoS-Guard. The attack was mitigated by DNSSEC settings, which blocked unauthorized access.
OAuth Weakness Exploited
Following the initial incident, dYdX worked with Squarespace to restore access and rotated all security credentials. Despite these measures, similar attacks were reported on other crypto-specific domains migrated from Google Domains to Squarespace. SEAL, a crypto security team, initiated an investigation, revealing potential technical vulnerabilities within Squarespace.
On July 18, Squarespace confirmed an exploited security issue with OAuth logins, which was fixed by July 12. Despite this, dYdX decided to change domain registrars, though they believed Squarespace had addressed the vulnerability.
Account-Recovery Attack
On July 23, the dydx.exchange domain was compromised again. Attackers changed the DNS Nameservers and removed DNSSEC settings, hosting a malicious site to steal funds from connected wallets. dYdX collaborated with SEAL and wallet providers like Metamask and Phantom to block the malicious site. Approximately $31,000 was lost by two users during this period.
Upon recovery, it was discovered that the attacker had used a social-engineering attack to reset the domain admin email to their own, bypassing 2FA due to Squarespace’s account-recovery process. Squarespace customer service had reset the account without reaching out to other listed admins.
Securing the Domain
As a response to these incidents, dYdX transferred the domain registration to Cloudflare on July 24, completing the process in six hours. No security issues with dYdX’s smart contracts, backend systems, or the dYdX Chain were found as a result of these incidents.
Industry Implications
These incidents underscore the importance of robust security measures for domain registrars, especially for crypto-related domains. The vulnerabilities in Squarespace’s OAuth and account-recovery protocols highlight the need for continuous improvement in security practices to prevent such attacks.
About dYdX
dYdX aims to democratize access to financial opportunities, with the dYdX Chain representing a significant step forward in this mission. For more information, visit dydx.exchange.
Image source: Shutterstock