On July 11, 2024, on-chain detective ZachXBT was the first to warn about a potential phishing attack on the DeFi platform Compound Finance website.
ZachXBT reported that the official domain of Compound Finance (Compound.finance) had been compromised. When users visited the homepage, they were automatically redirected to a fraudulent website named “compound-finance.app,” which could lead to significant asset losses if users interacted with it.
Shortly after, the official X account of Compound Labs confirmed the incident and issued an urgent warning advising users “not to visit the website or click on any links until further notice.”
???? URGENT: The Compound Labs website (compound[.]finance) has been compromised.
Please do not visit the website or clink any links until further notice. An update will be provided when available.
This is our final message // end of tweet. ????
— Compound Labs (@compoundfinance) July 11, 2024
Compound Finance’s security advisor, Michael Lewellen, described the attack as phishing. “The website users are redirected to is a money-draining tool that can wipe out their funds if they interact with it. Therefore, the Compound itself is unaffected, and all user deposits on the protocol remain safe.”
ALERT: The https://t.co/vSAGYl6wwJ URL has been compromised and is currently hosting a phishing site. DO NOT interact with the https://t.co/vSAGYl6wwJ website until further notice.
The Compound protocol itself is not impacted and all smart contract funds are safe.
— Michael Lewellen (@LewellenMichael) July 11, 2024
However, the incident wasn’t isolated to Compound Finance. At the same time, Celer Network also reported a phishing attack on its website using a similar method.
According to 0xngmi, founder of DeFiLlama, the issue may stem from both DeFi protocols using the same web service provider, Squarespace. Squarespace was likely compromised, affecting all platforms using its services.
0xngmi also listed several major DeFi projects using Squarespace, which might be the following targets of phishing attacks. These include Pendle, Karak, Hyperliquid, dYdX, Axelar Network, Polymarket, and THORChain.
Developers recommend that projects using Squarespace consider switching to other domain service providers such as Cloudflare, Amazon Web Services, MarkMonitor, or CSC DBS News until the issue is resolved to ensure user safety.
notable domains that are at risk:https://t.co/SxUDwsEgxChttps://t.co/ZfqPB3dvGJhttps://t.co/IQoLlDzCl7https://t.co/c8aJyZ4rZmhttps://t.co/pnFuffioeshttps://t.co/Cz4tJMHsL2https://t.co/TMSUnVTlrqhttps://t.co/PiVFKTBlMHhttps://t.co/8VtP9ituCDhttps://t.co/1n5DnS5R2B… https://t.co/399c6wO3B6
— 0xngmi (@0xngmi) July 11, 2024
This marks the second widespread phishing attack on DeFi protocols in six months. In late December 2023, the Ledger library was infected with malware that could automatically drain users’ assets upon interaction. Numerous apps, including Hey, SushiSwap, Zapper, and Revoke, widely use this tool, resulting in compromised front-ends that spread malware to users.
For Compound Finance, this is the second phishing attack since late December 2023, when their X account was hijacked to promote a fraudulent website, leading to reported losses of around $4.4 million in LINK tokens.
Compound holds over $2.18 billion in assets, making it one of the most extensive DeFi services in the sector.
