The recent hacks of Compound Finance and Celer Network’s front-end domains on Wednesday revealed at least an additional 124 domains are at risk of exploitation by virtue of their registration with website-building company Squarespace, according to security experts. 

Compound Finance, one of the largest decentralized protocols with a total locked value of nearly $2.2 billion, is hosting a phishing site, said Michael Lewellen, head of solutions architecture at blockchain security firm OpenZepplin, on X. He warned users not to interact with the website until further notice.

Another attacker, perhaps the same one or group, also attempted to take over the front-end domains of Celer Network. The team said on X that the takeover was intercepted and that their “investigation indicates that the attack vector likely involved third parties beyond our control.” 

In a conversation with Unchained, the founder of blockchain network Glue and prominent white-hat hacker who goes by Ogle indicated that Compound Finance and Celer Network’s use of Squarespace to host their front-end websites is what allowed these exploits to occur. 

“Right now, [Compound Finance is] exploited to the point that links are changed and so people can be phished,” he added. Phishing is a type of scam where exploiters use deception to make people reveal sensitive information or install malicious software. 

The at-risk websites initially used Google Domains, but Squarespace acquired the Google Domains business, completing its acquisition of assets in September 2023. 

The recent exploits were “almost certainly” from the migration of Google Domains to Squarespace, said Ogle. “What I’ve learned is that during that migration 2FA [short for two-factor authentication] was disabled.” 

Compound Finance and Celer Network “probably did have 2FA enabled on Google, but then once it got switched over, not the case anymore,” he added.

“Google sold their domain business to Squarespace a few months ago and the forced migration of domains to Squarespace removed 2FA causing all these domains to be vulnerable and several have been hijacked,” said Bobby Ong, the co-founder of CoinGecko, on X.

Read More: $1 Million Bounty On Offer for Finding Bugs On Solana Validator Client Firedancer

Domains of Top Protocols At-Risk

The number of crypto protocols joining the likes of Compound Finance and Celer Network may grow, as the pseudonymous founder of DefiLlama, who goes by the screen name @0xngmi on X, noted that 124 additional front-end domains of prominent crypto protocols are using Squarespace including Pendle Finance, Hyperliquid, dYdX, Nostra Finance, Axelar Network, Polymarket, Thorchain, Aptos Labs, NEAR, and Safe. 

A spokesperson for Safe, a wallet infrastructure provider, confirmed with Unchained that Squarespace is involved with its front-end website, but emphasized they haven’t identified any abnormal activity and have systems in place to detect irregular changes. 

“We currently remain unaffected,” Safe’s spokesperson said. “Our teams will continue to monitor the situation and keep our community and users informed.”

“As always, stay vigilant,” the spokesperson at Safe added. In a similar vein, the dYdX trading team said to Unchained over Telegram, “dYdX.exchange is secure with no detected vulnerabilities” and that they will also continue to “monitor the situation.” Axelar Network also has not identified any issues with its domain and will continue to track for any further developments, per a post on X. 

Read More: 50% of Illicit Funds End Up At Centralized Crypto Exchanges, Chainalysis

The domains of these protocols —  barring Compound Finance and Celer Network  — remain unaffected. Yet Ogle says protocol team members should be worried as the situation is “not good” and that people should not go to any of these websites “under any circumstances until the official Twitter says it’s safe.”

At presstime, Compound(dot)Finance gets redirected to Compound-Finance(dot)app, in which the latter is flagged by Google as a dangerous site. “Attackers on the site you’re trying to visit might trick you into installing software or revealing things like your password, phone, or credit card number,” according to Google’s warning.

Caption: The message Google raises when people try to visit compound(dot)finance, which gets redirected to compound-finance(dot)app.
The message Google raises when people try to visit compound(dot)finance, which gets redirected to compound-finance(dot)app.

If a user proceeds despite the flagrant, red warning, they’ll see a website that looks like a standard crypto protocol.

The interface of the phishing site that is hosted by Compound Finance’s front end.
The interface of the phishing site is hosted by Compound Finance’s front end.

Difference Between a Domain and Protocol

While the domain websites of crypto projects may go down in the event of a hijacking, the actual protocols remain unaffected. People or bots can still interact with a project’s smart contract without going through a front-end website, Ogle said. 

“You could transfer funds on the blockchain, you could go through their bridge, all that kind of stuff can happen without ever even using the website.” Even if a protocol’s front-end domain is attacked and “taken down by these hackers right now or whatever, you still don’t lose your money. You still have access to it.”

Representatives of Squarespace did not immediately respond to Unchained’s requests for comments.

UPDATE (July 12, 2024 10:03 a.m. ET) Includes status update of Axelar Network