Post-Mortem of Events June 23

This post was originally published here

On June 23, 2022, @alexintosh on Twitter reported some abnormal activity on the Convex Finance website. Suspicious contract approvals were suspected.

Shortly after this, @samczsun sent a direct-message to the Convex Twitter account with the same suspicions. Convex Twitter issued this initial warning tweet as a result of the two similar notifications.

Summary of Attack

After some initial investigation, it was confirmed that the DNS of www.convexfinance.com had been hijacked, taking users to a copy of the website containing malicious contracts. The attack replaced web elements that interact with smart-contracts across varying portions of the site to new contracts under the attackers control. Unsuspecting users could have clicked familiar buttons in the UI, but been prompted to approve new, malicious contracts. Many contract addresses even contained the same first and last 4 characters, making it easier to glance at these new contracts and potentially accept them as the originals. Furthermore, the malicious contracts did not seem to be presented to all users, nor were they always presented on the same web elements.

Convex used NameCheap as it’s domain registrar for convexfinance.com. The attacker was able to access the NameCheap account, even with 2-factor authentication enabled, a strong password, and security alerts. Convex team still had access to the account; 2FA was still enabled, the password was the same, but the attacker was still able to access the account, change the DNS to point to the malicious website, and disable security alerts. Convex team immediately changed the DNS back to point to the real website, and re-enabled security alerts, but it was still unknown how the attacker gained access in the first place.

biswap

After this, Convex immediately reached out to Namecheap support, and after some short discussion about the incident, was told the domain may be disabled entirely for an unknown time period. Since the attack vector was not entirely understood, and the domain could potentially go offline, a new, temporary domain was deployed using a new registrar, at which time Convex Twitter tweeted the new domain.

Several individuals pointed out that the Convex Twitter account could have also been compromised, and this tweet may also have linked to malicious websites. In retrospect, this was a fair criticism. An attempt at alleviating those fears was made later, with @c2tp signing a message confirming the temporary URLs were indeed coming from the Convex team.

Additional Defi Protocol Front-Ends were also targets. Word began to spread on Twitter about additional Defi protocols being targeted simultaneously. Ribbon Finance, DefiSaver, and Allbridge all experienced similar attacks, with DNS records being altered. All had registered their DNS with Namecheap.

Working together with these teams and the initial security response team, all protocols were able to regain control of their front-ends and mitigate further damage. Additionally, communication with NameCheap’s CEO on Twitter confirmed the attack vector; a customer support agent at NameCheap altered the DNS records.

Having regained control of the website, and a root cause confirmed, Convex Twitter communicated again with a brief summary of events.

Response and Resolution

As stated on June 24, the original convexfinance.com is back to normal operation.

  • The website is now using a new DNS registrar.
  • Multiple layers of DNS monitoring are enabled to help identify these types of attacks in the future.

If you used convexfinance.com in any capacity from June 20th — June 23rd, please review your contract approvals using https://etherscan.io/tokenapprovalchecker, revoke.cash, or similar tools, and remove any unknown approvals. Review and compare approvals with this list from the Convex Finance Docs. https://docs.convexfinance.fi/convexfinance/faq/contract-addresses

Compensation Plan for Lost Funds

As of today, there are 40 known addresses that approved malicious contracts as a result of this incident. In total, an estimated 15,968 cvxCRV and 433 CRV are suspected of being stolen from users. Only 3 of the 40 addresses listed had funds taken. Please review this list if you have not already, and revoke malicious contract approvals if your address is listed here.

Convex Finance will attempt to compensate losses stemming from the DNS hijacking from June 20–23, 2022, sourced from the treasury, and paid in CVX tokens equivalent to the USD values at time of loss. Funds will go directly to the addresses affected once approvals have been revoked to the malicious contracts.

  • Payouts will go directly to the affected address after confirming revoked approvals.
  • Payments will not be forwarded/sent to different addresses.

If you are one of the addresses affected and need help with revoking the approval, please reach out to the team via Discord or Twitter, and be prepared to provide your Ethereum address where funds were affected. Otherwise, we will be sending the funds shortly; no need to contact the team if you have already revoked the approval.

If you do need to reach out, be absolutely certain you are communicating with a Convex team member, as this type of interaction is sure to attract scammers/phishing attempts.

  • You may be asked to revoke approvals, but you will not need to do any new approvals to receive compensation.
  • You will not need to send any tokens anywhere to receive compensation.

Special thanks to the following individuals and teams for their quick collaboration and assistance.

Leave a Comment