DeFi platforms, Cream Finance and PancakeSwap were targeted in a DNS (Domain Name Service) attack on March 15. CREAM Finance announced the DNS attack via Twitter.
“Our DNS has been compromised by a third party; some users are seeing requests for seed phrase on http://app.cream.finance. DO NOT enter your seed phrase. We will never ask you to submit any private key or seed phrases.”
Cream also pointed out Binance Smart Chain DEX platform PancakeSwap was suffering from the same issue. PancakeSwap had released a warning first and tweeted a confirmation soon after, saying,
“This is now confirmed. DO NOT go to the Pancakeswap site until we confirm it is all clear. NEVER EVER input your seed phrase or private keys on a website. We are working on recovery now. Sorry for the trouble.”
Both platforms added that recovery was currently in progress.
Cream Finance Quick To Recover From Crisis
As soon as the website went down users reported it to Cream, who acted immediately. The team realised that the GoDaddy DNS CNAME record was not pointing to their hosting IP (consistent with their website outage) and updated the DNS A record to the correct IP. The team noticed a phishing page as soon they began root cause analysis.
Users reported a DNS cache pollution, and the team migrated the DNS to Cloudfare. Further analysis showed that their GoDaddy login credentials were compromised. As they worked on regaining access, CoinGecko, CoinMarketCap, and imToken were alerted to update their website link post and share warning messages to the community.
Cream set up a war room on telegram to ensure the safety of their user’s funds while the team was working on DNS recovery. Soon after their Twitter announcement, they set up two alternative websites, and ~6 hours after the attack, the team reclaimed the ownership of their domain with the help of GoDaddy.
An hour later, the team announced their domain ownership on Twitter,
“We have regained control of DNS and everything is back to normal on (link1) and (link2). These sites are now safe to use. Thank you for your patience as we are continue[sic] to monitor this situation.”
Cream Investigates The Attack Thoroughly
The team at Cream Finance released a detailed set of their process and investigation on their medium blog. As per their post, the team uses Google SSO to access their GoDaddy account, and the activity log showed that it was not compromised.
The first unusual behavior was noticed in GoDaddy’s activity log when a password reset request was sent to the attacker’s email address. However, there was no record of any email address change. The team reproduced the scenario with their GoDaddy account, signing with their Google account.
A change in email address should produce a record, but the team did not experience it. They could only access a part of the activity log on GoDaddy. They tried to access all but it threw up an “unexpected error.” They confirmed the IP of their attacker to be the same as the one on the activity logs of PancakeSwap, who uses GoDaddy too.
Cream will update their post on medium as further information becomes available.
User’s Funds Remained Safe Throughout The Attack
Cream’s smart contracts and user’s funds remained safe as the DNS hijacking only affected their website. They have deployed a decentralized frontend in IPFS, ensuring that users get to access services deployed by the platform. The team stated they have complete control of their ENS record, preventing such attacks in the future.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.