Compound Finance and Celer Network websites compromised in ‘front-end’ attacks

The websites of crypto lending platform Compound Finance and Celer Network have been attacked, redirecting users to a malicious phishing site, according to multiple security researchers.

Compound, one of the longest-established decentralized finance (DeFi) applications, holds assets worth over $2B, according to data from DeFiLlama. Celer’s cBridge allows users to send tokens between 14 blockchains, processing over $200M in volume last month.

Security advisor to the Compound DAO, Michael Lewellen, posted a community alert via X (formerly Twitter), urging users to avoid the platform’s website. Compound Finance confirmed the attack 90 minutes later. The breach was highlighted earlier by ZachXBT via Telegram.

Read more: Compound Finance upgrade bug freezes $830M in crypto

Celer Network alerted users four hours later to a similar attack that “seems to be hitting multiple projects at the same time.” Pseudonymous security researcher Samczsun suspects the breaches to have come from Squarespace. DeFiLlama’s 0xngmi compiled a list of other domains that may be at risk.

This type of attack, known as a ‘front-end’ attack, is a relatively common vector for crypto hackers. The method doesn’t rely on finding a bug to exploit within the underlying smart contract code, instead simply replacing the project’s website with a malicious version.

A potential attacker must compromise the domain name service (DNS) registrar, generally using financial incentives or social engineering techniques on an employee. In response to the front-end attack that hit Curve Finance in June 2022, the CEO of Namecheap (the DNS registrar responsible) stated that a customer service agent was compromised, claiming they were either hacked or exploited with bitcoin.

Read more: At least $25M lost across three incidents in busy day for crypto hackers

Similar incidents have affected many major DeFi platforms, such as Curve Finance, Cream Finance, Pancake Swap, Balancer, Frax and Velodrome, among others.

Previous hacks often involve cloning the original website, but swapping out key elements which can lead to users’ wallets crafting malicious transactions. This could be to transfer funds directly to an address controlled by the hacker, or to ‘harvest’ token approvals.

This approvals harvesting technique was used to devastating effect in the $120M BadgerDAO hack of December 2021.

Over the course of 12 days, BadgerDAO users inadvertently signed malicious approval transactions which granted the exploiter permission to spend tokens directly from the victims’ wallets. Now-bankrupt Celsius was among the victims, losing 897 BTC (worth over $40M at the time), before forfeiting $22M worth of compensation due to an ‘unforced error’.

Read more: Seneca Protocol hack highlights dangers of Ethereum’s token approval mechanism

Despite today’s incident, Compound’s back-end code is considered amongst the most secure in DeFi, with any changes requiring scrutiny via a fully on-chain governance process.

Low-effort ‘forks’, however, regularly find themselves exploited due to dodgy collateral or basic errors when setting up new markets.

Compound itself hasn’t been entirely without its issues in the past, though. 

Read More: Linea protocol ZeroLend is a ‘copy-paste’ Aave fork, linking to original’s docs

The project’s X account was compromised in December 2023 to spread a phishing link, promising free COMP, the project’s native token.

In September and October of 2021, a total of almost $150M worth of COMP was accidentally distributed as excess rewards to users. Another incident the following year saw the platform’s $830M ETH market frozen for a week.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on XInstagramBluesky, and Google News, or subscribe to our YouTube channel.