Ether.fi foils domain hijack attempt, credits enhanced security measures

Sep 25,2024

DeFi protocol Ether.fi reported an attempted domain account takeover on Sept. 24 involving its domain registrar, Gandi.net, according to a Sept. 25 github post by the protocol.

According to Ether.fi, the incident saw attackers try to exploit Gandi’s recovery process to gain control of Ether.fi’s domain. The first indication of the breach came at 16:38 UTC when the team received an email recovery notification from Gandi.

After verifying the email’s SPF, DKIM, and DMARC records, the team confirmed that attackers had attempted to access their account by using Gandi’s legitimate recovery flow.

Ether.fi promptly engaged Gandi on multiple platforms, and by 19:30 UTC, the account was successfully locked to prevent further tampering. The company restored its nameserver configurations, and an internal review found no evidence of a breach within its systems.

Ether.fi said:

“In light of recent attacks on similar platforms, we had already upgraded security by enforcing hardware authentication across key systems.”

It further noted that these preventive steps helped secure their infrastructure. Gandi’s rapid response, combined with Ether.fi’s safeguards prevented unauthorized access to the domain and ensured the security of their websites, applications, and email services.

Ether.fi expressed gratitude to its security partners, including Seal911, Doppel, Ethena, and Distrust, who offered immediate assistance during the incident.

The protocol assured users that all funds remained safe and no malicious decentralized applications (dApps) were deployed. It added that it would release additional details about the incident in the coming days in coordination with Gandi’s team.