dYdX Post-Mortem Reveals Two Users Lost $31K in DNS Hijack

A dYdX post-mortem has revealed that two users lost approximately $31,000 in its recent DNS (Domain Name System) hijack.

According to dYdX, on July 23, 2024, the "dYdX.exchange" domain was compromised when an attacker changed the DNS nameservers and removed the DNSSEC which is supposed to act as a layer of trust on top of the DNS by providing authentication.

dYdX immediately contacted Squarespace’s customer support, who restored domain possession and fixed the DNS nameserver resolution within a few hours, despite a 30-minute delay due to third-party vendor maintenance.

During this delay, the attacker hosted a malicious site, requesting connected wallets to send ETH or any ERC20 token to the attacker's address. At the same time, dYdX worked with SEAL to blacklist the site from crypto wallets such as Metamask and Phantom.

Unfortunately, two users lost their funds by interacting with the compromised site and dYdX is working with the victims to recover the funds.

"2 users were affected with approximately $31,000 in lost funds due to this attack. dYdX trading is in contact with both affected users and is assisting in securing their wallets and is committed to recovering funds," dYdX explained.

Although the identity of the attacker is unknown, they seem to be a fairly skilled actor. The postmortem analysis raises the potential of a social engineering attack because the perpetrator deliberately selected a human-believable email address.

Earlier this month, the decentralized finance (DeFi) ecosystem was rocked by a massive DNS hijacking incident that targeted multiple DeFi applications.

The attack, traced back to a vulnerability in Squarespace’s domain registry, compromised numerous DeFi platforms, including Compound Finance and Pendle Finance.