GoDaddy’s Failure to Prevent Attacks – DeFi Projects Urge The Ecosystem to Abandon Centralised Hosting
In mid-May of 2022, QuickSwap, a decentralised finance platform which manages millions of dollars of crypto investors’ funds, began receiving multiple reports that the token swap feature on its website was malfunctioning. After almost two hours of troubleshooting, developers at QuickSwap discovered that it was not a mere technical error, the website domain registered and hosted by Godaddy, a centralised platform, had been hijacked by hackers who replaced the original webpage with a fake, which made tokens swapped by users to be diverted to a wallet created by the attackers.
Warnings put out by QuickSwap on social media platforms about the attack did little to prevent users from trading on the website as they were either not seen or it was too late. The attacker stole $107,600 worth of crypto in seven hours of being in control of the domain, while QuickSwap’s co-founder, Sameep Singhania struggled to get GoDaddy to help, according to the post-attack report by the platform.
[…]Hijackers gained access to QuickSwap’s domain through GoDaddy. The hijackers changed the DNS settings so that all trades would go to his or her address, the report read.
Other DeFi platforms were also victims of what seem like coordinated DNS (domain name service) attacks against GoDaddy which has over 75 million registered domains, hours and days before QuickSwap hijack on the morning of May 14. On the evening of May 13, SpiritSwap was attacked, with losses rising to $71,763 by the end of the attack which lasted about 21 hours. HoneySwap lost about $20,000 on May 10 to a similar attack.
Chjango Unchained, the executive director of dWeb Foundation and host of Cosmos Radio Station told Arweave News that hackers were becoming sophisticated in how they defraud people because they know that many users would not fall victims if web links appear fake.
So when they (attackers) find an exploit within a particular registrar to steal the ‘real’ domain names of a legitimate name holder, then this would completely blindside users, especially when they know that they are on the correct URL and thus, rightly so, would think that it’s business as usual, Unchained said.
Apparently trying to save themselves from the wrath of affected users and potential reputation damage, especially at a period when 97 percent of DeFi protocols were the targets of different heists on digital assets in year 2022, amounting to $1.7 billion according to Chainalysis – all three platforms absolved themselves but vulnerabilities in GoDaddy’s security system, including it’s staff being deceived by the attacker to grant login access prior the attack, are to be talked about.
GoDaddy’s operations, like many centralised web hosts and domain registrars, have never been devoid of crises and controversies in how they are managed. In 2021, a data breach which exposed 1.2 million customers of GoDaddy to phishing attacks was not detected until after almost three months. In April 2022, about 298 websites were found to be infected with a backdoor which generated spammy Google search results; it was not detected for at least seven years.
Web3 decentralised applications secure their backends by deploying bug-free codes on blockchains, but they could still suffer attacks if their frontend or web storage is hosted by compromised, centrally controlled platforms whose single point of failure cripples everything. And in the case of the coordinated DNS attack on the three DeFi platforms, attackers could lock out original owners of websites while they wreak havoc, with the latter left with the option of waiting for help from the web host.
Uptime and server security are the biggest concerns and risks. If someone manages to compromise the server hosting the web page that users are using to interact with the decentralised application, then there can be a loss of funds, Harry Denley, security expert at MetaMask, told Arweave News.
Centralised web hosting is still being adopted by many decentralised applications in Web3 despite the risks and possible bad publicity for the entire ecosystem that is striving to gain adoption if an attack occurs.
“Web3 DeFi apps boast about censorship resistance at the smart contract layer but appear to sweep the fact that their frontends are 100 percent hosted on Web2 stack, under the rug,” Unchained said, explaining that dApps choose centralised hosting for convenience and because Web3 infrastructure foundation has yet to mature to support applications and projects at scale.
He, however, noted that “at present, choosing centralised third parties to host their frontend does not pose any tangible systemic risk to the rest of the ecosystem but it does hurt themselves and their users in the interim.”
The attacks on DeFi hosted on GoDaddy and the struggle the platforms went through to reclaim their domain names, highlight that partial decentralisation leaves weak spots in the defences of DeFi projects regardless of the strength of their on-chain smart contracts and fundamental infrastructure.
Attacks on a website’s infrastructure is always a risk and teams from Web2 and Web3 should be aware of such and monitor their infrastructure for any compromise, Denley said.