Post mortem on this weekend’s DNS event
Firstly, SpiritSwap would like to express gratitude to the community and those who reached out to offer their support over this challenging period. A special acknowledgement to the team at Yield Monitor as they have shown great interest in assisting us and offered valuable resources to remedy the issue. SpiritSwap would also like to extend apologies to those who did not see or were unaware of the social media postings and warning messages in time and subsequently ended up losing money from this attack. There is a compensation plan in place and an intent to make this whole, read on for details.
The events that unfolded based on our analysis at this time
At this time and until more data is provided from GoDaddy’s end, It is the team’s understanding that the attacker contacted GoDaddy and began to socially engineer one of their employees in order to gain access to SpiritSwap’s account. How the attacker managed to get any personal details is unknown to us, however, given the doxxed team, it’s not hard to see that a motivated individual could connect the dots and formulate a plan. This is the unfortunate downside of being publicly known. GoDaddy are yet to respond in full to requests for all logging data relating to our account and how changes were made, so until they provide information to support the contrary, and from the logging data the team have available on the SpiritSwap account, the team believe the attacker posed as one of the team, pretending to have lost login details and was subsequently granted access to the account by GoDaddy.
After gaining access to the account, the attacker proceeded to modify the DNS settings and changed all of the credentials, thus effectively hijacking access and taking ownership for themselves.
After securing access to the SpiritSwap domain, the attacker then proceeded to deploy a phishing site that was spoofed to look like SpiritSwap. The attacker then used the “send to” function within the swap contracts to have any funds that users swapped rerouted to the attacker’s address.
Note: The “send to” function in this contract is forked from UniV2 as it is an active function that allows users to swap and send assets to a different wallet simultaneously. This is a standard function that all UniV2 contracts have.
13/05/22 7:14 PM UTC:
The hacker began redirecting users’ funds to his wallet as the DNS redeployment was put into effect.
13/05/22 7:32 PM UTC:
The team became aware that something was amiss via alerts from the moderator team and began investigating right away. (special thanks to our mods for being so active and vigilant, this is testament to how amazing you guys are!)
13/05/22 8:03 PM UTC:
The development team instructed our community manager to post a warning message to our community while the developers focused on investigating further.
It was initially speculated that our cloud provider might have been compromised, however in an attempt to sign into the domain registry it became apparent that the DNS settings had been tampered with.
13/05/22 8:15 PM UTC:
Non-stop efforts were made to contact GoDaddy and regain ownership of the SpiritSwap domain.
13/05/22 9:33 PM UTC:
After adequate time had passed to help us understand the situation and the attacker’s actions, an announcement was posted on Discord and Twitter, updating the community with the details that were available at that time.
13/05/22 9:55 PM UTC:
A decision was made to disable swapping through the routers to try and stall the attacker from taking anyone’s funds. At this point, the loss of funds sat at around $18,000. This was clearly only a temporary measure, but given there were no other options this was the only preventative measure we could deploy while waiting for support from GoDaddy.
13/05/22 10:19 PM UTC:
The attacker had realized the routers had been disabled and redeployed the swap contracts to use another DEX’s routers instead.
You can see his final transaction on SpiritSwap’s router here:
Fantom Transaction Hash (Txhash) Details | FtmScan
And the subsequent initial transaction from when the attacker had changed routers, here:
Fantom Transaction Hash (Txhash) Details | FtmScan
After spending 7 hours on various calls, the team was able to secure a higher point of contact to escalate the issue to GoDaddy.
During this time, the team sent an email explicitly highlighting the severity of the situation, detailing the loss of funds and pleading with GoDaddy that the longer they delayed verification of team ownership, the more funds would be liable for loss.
Ironically, the attacker was able to socially engineer the team at GoDaddy easier than SpiritSwap was able to verify its authority over the account. It is understood that GoDaddy has processes in place to follow, however this was not ideal given the urgency of the situation.
On 14/05/22 at 4:30 PM UTC:
(Saturday the following day) GoDaddy confirmed that the compromised account had been recovered and reestablished with the domain back in the control of SpiritSwap. The development team immediately began propagating the site, at this point the attacker had no control over the domain and could not make any further changes.
On 14/05/22 at 5:30 PM UTC:
The site had propagated globally so no interactions could happen through the spoofed site. It is at this exact time the attacker had realized he lost total control and began converting all funds to BNB and bridged BNB over to Binance Smart Chain.
Bridged BNB Fantom to Binance Smart Chain:
Sent 129 BNB to:
After the attacker moved the BNB, they started to move the other tokens to another address
Fantom Transaction Hash (Txhash) Details | FtmScan
They swapped all these tokens to FTM and sent 18,630 FTM to another wallet:
Converted all FTM to 22.8 BNB and bridged over to other chains
On 14/05/22 at 8:26 PM UTC.
After taking time to assess and unlock the router, it was announced that the site was live again and safe to use. Over the period of the attack the attacker secured a total of 252 BNB ($71,763 at time of hack).
Learnings and mitigation methods moving forward
Given the vector for the attack was via social engineering and there is no evidence to suggest that any team accounts were compromised as the team has always followed best security measures, 2FA enabled etcetera, our mitigation methods are limited but options are still available.
1. As a precautionary measure, we have now changed domain providers to a company the team feels have better security layers and won’t be as easily socially engineered. The migration is now complete. With this new domain provider we have upgraded our package to a business tier which gives us a higher level of security and priority support in the event that we require their assistance. We have also spoken with this domain provider to ensure additional layers of security are implemented on their end.
2. The team has composed a war chest of strategies to throw barriers in the way of other possible attackers. For security reasons we will obviously not be disclosing these publicly.
3. As part of V2, the team is taking steps to make sure that our frontend interacts with a middleware which interacts with web3, so if a hacker were to gain control of the frontend the middleware would prevent any manipulation of web3 calls.
4. We are learning from top end protocols like Uniswap on best practices for decentralized hosting of the frontend to mitigate risks of such an attack being possible in the future.
TL;DR: All affected users will be compensated in full for the swaps that they lost.
While this exploit was not directly caused by a lack of security from SpiritSwap’s end, but rather at GoDaddy’s end, the team will take responsibility for the situation and feels that it is only fair to compensate those who lost funds during this event.
With the market in a precarious situation, developer costs stacking up with the development of V2 and the lack of Fantom Foundation grants at this point due to their structural changes in the system, the team will need to do some comprehensive adjustments to budget.
At this stage, our initial analysis of funding and budgets suggests the DAO can afford to compensate the amount by removing funds from our POL treasury. The DAO will compile a snapshot list of wallets affected with the exact amounts and airdrop users their compensation in the form of USDC.
The DAO will aim to have this distributed by the end of the week, however, we are still combing through transactions to ensure the attacker hasn’t double dipped, meaning we don’t want the attacker to be included in the compensation. As such please allow us time while we write up a script to exclude the hackers wallet from the transactions.
Although this hit to the budget will impact our V2 timeline due to having to review budgets and reroute resources, we are glad to say that about 90% of V2 is already complete, with the smart contracts undergoing an audit as we speak.
Path moving forward
The team intends to investigate the incident further and involve the relevant authorities. While it is understood there is little chance of catching the perpetrator, all avenues will be explored to try and recoup the lost funds so the SpiritSwap treasury isn’t forced to take this hit and development work isn’t impacted due to SpiritSwap having to compensate users. We are also working closely with the team at Quickswap, who we both believe were attached by the same person/people.
A note to the attacker
Your actions have not broken us but rather made us stronger in exposing any vector potentials. While your actions are deplorable, it is people like you who allow us to hone our practices and keep not only us, but the entire development community on their toes.
If you do decide to return the funds to the DAO for redistribution to the affected users, the DAO will provide you with a $25K bounty.
Although the situation every developer fears took place, our team was quick to act and put in place all measures available at the time to prevent further loss of funds and mitigate risks.
SpiritSwap will continue to support our community and the Fantom ecosystem, while the team is determined to continue making our mark on the DeFi landscape across Fantom.
SpiritSwap would like to thank again those who reached out to offer their support (special mention to the Fantom Alerts, Yield Monitor and Willy from WalletNow) and our community for remaining so calm and patient while our team did what was necessary to handle the situation.
There is more to the internal investigation that we can not disclose at the moment in order to avoid interference with the investigation. After combing through the logs in more detail, it is apparent that the investigation requires more information. There has been a request for a more detailed copy of the logs from GoDaddy which should provide further information. We did not want to delay this post mortem for the sake of being transparent to the community, however we want to be clear that the investigation is ongoing and we will continue to update the community when we can.
Please stay posted for more updates when they are available.