A security vulnerability in Squarespace domains threatens the decentralized finance (DeFi) space with phishing attacks. On July 11, security researcher ZachXBT shared a Telegram post warning the community to avoid the Compound Finance website, which redirected users to a phishing site.
New Attack Method in the Web3 Space
The first protocol compromised due to the vulnerability was the DeFi protocol Compound Finance. Following this, Celer Network announced it had also been attacked but successfully thwarted the attempt. Meanwhile, DefiLlama developer 0xngmi shared a list of domain names vulnerable to the same attack vector. The list included over 100 protocols, such as Polymarket, dYdX, and Pendle Finance.
CoinGecko founder Bobby Ong explained that the attack originated from Squarespace’s domain registrar. The executive noted that after Google sold its domain business to Squarespace, mandatory domain transfers led to the removal of two-factor authentication (2FA). This step left domains vulnerable. According to Ong, the community should wait for the issue to be resolved before re-engaging with crypto:
“The best thing to do is not interact with crypto and rest until everything is resolved in the next few days.”
Notable Statements on the Issue
Security researcher Samzsun suggested that those affected by the recent domain takeover incident at Squarespace might consider transferring to other providers. The white-hat hacker recommended Cloudflare, Amazon Web Services Route 53, MarkMonitor, and CSC DBS. Meanwhile, Unstoppable Domains (UD) founder and CEO Matthew Gould took the opportunity to explain how such attacks could be prevented with Web3 domains:
“By creating verified on-chain records for domains, we can offer an extra layer of protection to browsers, and others can help combat such attacks by verifying.”
The executive added that users could even configure DNS records to be non-updatable unless a verified on-chain signature is provided. He also suggested not allowing record updates without signatures from wallets. This would require hackers to attack both the registrar and the user separately:
“So if your UD account is compromised or UD’s security as a registrar is breached but your wallet is not, the malicious user cannot change your domain in DNS.”