DeFi customers reported suspicious performance on the web site of lending platform Compound Finance on Sunday.
The incident is the most recent in a string of web site hijackings which have affected Maple Finance, OpenEden and Curvance.
It’s the second time attackers have compromised Compound’s entrance finish in lower than two years.
Compound’s safety supplier later revealed an replace on the venture’s governance discussion board, reassuring customers that the incident had been rectified and “all other credentials on the affected infrastructure account have been rotated.”
The put up explains that the venture’s web site redirected customers to “a phishing site hosted on a lookalike domain (‘compOOnd’),” however “no user loss of funds [was] identified.”
Compounding errors
Beforehand, the Compound entrance finish was hacked in July 2024, together with different Squarespace-based DeFi domains.
There are worries that such assaults might change into extra widespread as AI instruments decrease the bar for would-be phishing scammers.
ALERT: The https://t.co/vSAGYl6wwJ URL has been compromised and is at the moment internet hosting a phishing website. DO NOT work together with the https://t.co/vSAGYl6wwJ web site till additional discover.
The Compound protocol itself isn’t impacted and all good contract funds are secure.
— Michael Lewellen (@LewellenMichael) July 11, 2024
Fortunately, any customers of Compound had been higher protected yesterday.
Based on the discussion board put up, the app.compound.finance subdomain, on which customers join wallets and make transactions, “is served via IPFS, allowing [security providers] to independently verify its integrity.”
Sunday’s incident is the most recent in a string of blunders for what was as soon as considered one of DeFi’s high protocols.
Final yr, the Compound DAO got here below scrutiny over conflict-of-interest issues associated to service supplier Gauntlet.
In 2022, an operational error bricked the cETH market (price over $800 million on the time) for every week whereas a repair was carried out. The earlier yr, virtually $150 million of extra rewards had been distributed, additionally by mistake.
