The websites of crypto lending platform Compound Finance and Celer Network have been attacked, redirecting users to a malicious phishing site, according to multiple security researchers.

Compound, one of the longest-established decentralized finance (DeFi) applications, holds assets worth over $2B, according to data from DeFiLlama. Celer’s cBridge allows users to send tokens between 14 blockchains, processing over $200M in volume last month.

Security advisor to the Compound DAO, Michael Lewellen, posted a community alert via X (formerly Twitter), urging users to avoid the platform’s website. Compound Finance confirmed the attack 90 minutes later. The breach was highlighted earlier by ZachXBT via Telegram.

Read more: Compound Finance upgrade bug freezes $830M in crypto

Celer Network alerted users four hours later to a similar attack that “seems to be hitting multiple projects at the same time.” Pseudonymous security researcher Samczsun suspects the breaches to have come from Squarespace. DeFiLlama’s 0xngmi compiled a list of other domains that may be at risk.

This type of attack, known as a ‘front-end’ attack, is a relatively common vector for crypto hackers. The method doesn’t rely on finding a bug to exploit within the underlying smart contract code, instead simply replacing the project’s website with a malicious version.

A potential attacker must compromise the domain name service (DNS) registrar, generally using financial incentives or social engineering techniques on an employee. In response to the front-end attack that hit Curve Finance in June 2022, the CEO of Namecheap (the DNS registrar responsible) stated that a customer service agent was compromised, claiming they were either hacked or exploited with bitcoin.

Read more: At least $25M lost across three incidents in busy day for crypto hackers

Similar incidents have affected many major DeFi platforms, such as Curve Finance, Cream Finance, Pancake Swap, Balancer, Frax and Velodrome, among others.

Previous hacks often involve cloning the original website, but swapping out key elements which can lead to users’ wallets crafting malicious transactions. This could be to transfer funds directly to an address controlled by the hacker, or to ‘harvest’ token approvals.

This approvals harvesting technique was used to devastating effect in the $120M BadgerDAO hack of December 2021.

Over the course of 12 days, BadgerDAO users inadvertently signed malicious approval transactions which granted the exploiter permission to spend tokens directly from the victims’ wallets. Now-bankrupt Celsius was among the victims, losing 897 BTC (worth over $40M at the time), before forfeiting $22M worth of compensation due to an ‘unforced error’.

Read more: Seneca Protocol hack highlights dangers of Ethereum’s token approval mechanism

Despite today’s incident, Compound’s back-end code is considered amongst the most secure in DeFi, with any changes requiring scrutiny via a fully on-chain governance process.

Low-effort ‘forks’, however, regularly find themselves exploited due to dodgy collateral or basic errors when setting up new markets.

Compound itself hasn’t been entirely without its issues in the past, though. 

Read More: Linea protocol ZeroLend is a ‘copy-paste’ Aave fork, linking to original’s docs

The project’s X account was compromised in December 2023 to spread a phishing link, promising free COMP, the project’s native token.

In September and October of 2021, a total of almost $150M worth of COMP was accidentally distributed as excess rewards to users. Another incident the following year saw the platform’s $830M ETH market frozen for a week.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.

The post Compound Finance and Celer Network websites compromised in ‘front-end’ attacks appeared first on Protos.

An upgrade to DeFi lending protocol Compound Finance has introduced a bug, “causing transactions for ETH suppliers and borrowers to revert” and leaving the platform’s ~$830 million cETH market unusable until a fix is implemented.

Compound announced the incident an hour after the upgrade was executed, stating: “Funds are not immediately at risk, but this is a developing situation.”

While the issue was quickly identified, the fix (simply reverting the smart contract in question to the previous version) cannot be implemented for seven days.

This is due to Compound’s decentralized governance process, which ensures that any changes to the functionality of the protocol can only be made by passing a proposal, voted on by COMP token holders. Any proposed changes face a two-day review followed by a three-day voting period. Successful proposals then pass into a two-day “timelock” queue, where they can be canceled if any last-minute errors are found.

Read more: How the FDIC works and why crypto marketers should be nervous

In return for deposits on Compound, users receive interest-bearing cTokens that can be held, accumulating interest, or used as collateral to take out over-collateralized loans.

However, due to the differences between ETH and other (ERC-20) tokens on the Ethereum blockchain, Compound uses two types of deposit tokens, CEther and CErc20. The error, introduced in Proposal 117, was in a price calculation which assumed all cTokens functioned as CErc20, leading to the reverted transactions.

According to Compound, the proposed code change had been audited by three separate smart contract auditors, though the most recent report linked in the proposal is dated April 1, 2022. 

Proposal 119 will revert to the former price oracle once it passes next week, reactivating the cETH market. In the meantime, users with outstanding debt are still able to deposit ETH to avoid liquidation when the market reopens, if necessary.

This is not the first time that Compound has been unable to fix a live bug due to its slow-moving governance. Last September, $80 million in excess rewards was accidentally distributed to depositors, and a further $68.8 million was released while the fix was pending.

For more informed news, follow us on Twitter and Google News.

The post Compound Finance upgrade bug freezes $830M in crypto appeared first on Protos.