DeFi users reported suspicious functionality on the website of lending platform Compound Finance on Sunday.

The incident is the latest in a string of website hijackings that have affected Maple Finance, OpenEden and Curvance.

It’s the second time attackers have compromised Compound’s front end in less than two years.

Compound’s security provider later published an update on the project’s governance forum, reassuring users that the incident had been rectified and “all other credentials on the affected infrastructure account have been rotated.”

The post explains that the project’s website redirected users to “a phishing site hosted on a lookalike domain (‘compOOnd’),” but “no user loss of funds [was] identified.”

Compounding errors

Previously, the Compound front end was hacked in July 2024, along with other Squarespace-based DeFi domains.

There are worries that such attacks may become more common as AI tools lower the bar for would-be phishing scammers.

Luckily, any users of Compound were better protected yesterday.

According to the forum post, the app.compound.finance subdomain, on which users connect wallets and make transactions, “is served via IPFS, allowing [security providers] to independently verify its integrity.”

Sunday’s incident is the latest in a string of blunders for what was once one of DeFi’s top protocols.

Last year, the Compound DAO came under scrutiny over conflict-of-interest concerns related to service provider Gauntlet.

In 2022, an operational error bricked the cETH market (worth over $800 million at the time) for a week while a fix was implemented. The previous year, almost $150 million of excess rewards were distributed, also by mistake.

