Divyushii
Kelp dApp UI attack | Post mortemAt Kelp, the security of user assets is top priority for us. We want to transparently share the post mortem of the UI attack that happened on July 22, 2024, and how we plan to mitigate such incidents in the future. For starters, this issue only impacted the UI. Smart contracts and staked user funds remained unaffected and completely safe.Incident:
At 3:30 PM UTC on July 22, 2024, Kelp’s dApp started showing malicious wallet activity transactions for draining funds.Incident response:
The Kelp team immediately posted an update on Twitter, TG and Discord channels asking users to not interact with the dApp until more details emerged. Upon the first incident report, our engineering team evaluated the situation and identified the root cause to be faulty nameservers routing users to different application code that was attempting to trick the users into phishing.Within 30 minutes after the first report, our team got GoDaddy to lock the owning account from making further changes. More information was provided to GoDaddy to authenticate ownership and gain access to ownership of the account.Within 4 hours from the time the incident was reported, GoDaddy had restored ownership access at which point Kelp team promptly restored settings to make Kelp dApp accessible to users again. At 7:30 PM UTC the same day, Kelp dApp began to offer the correct functionality. We began to gradually let users know that the dApp was safe to use again while constantly monitoring all through. The issue was fully resolved by 8:30 PM UTC, 5 hours from the time the incident was first reported.How did the attack take place?
The attackers gained access to Kelp’s domain registrar account impersonating Kelp team and successfully convinced GoDaddy’s customer support that they were the legitimate owners of the account bypassing the 2-FA that was in place. These attacks are very similar to the recent DNS hijacking that we had seen with several other crypto protocols over the last month.It is appalling to note that the Kelp team was not intimated even once when all security restrictions were bypassed by GoDaddy customer support. We are working with GoDaddy to understand further details around the situation.How do we plan to prevent similar incidents from happening?
We are actively taking precautionary measures to avoid a similar issue moving forward. You can expect to see the following changes go through over the next couple of weeks.Given the lapse of security at GoDaddy, we will be moving away from GoDaddy to another domain registrar shortly.Strengthening alerts related to abnormal UI behaviors etc.Were any users affected?
We have received a few reports from users on funds lost because of this UI attack. If you are a user affected, please enter your details here so our team can work with you to support you better.We are thankful to all of our Twitter partners, users and our team for swiftly responding so damage to users is mitigated. If you have any other concerns, please reach out to us on our Telegram channel.
At 3:30 PM UTC on July 22, 2024, Kelp’s dApp started showing malicious wallet activity transactions for draining funds.Incident response:
The Kelp team immediately posted an update on Twitter, TG and Discord channels asking users to not interact with the dApp until more details emerged. Upon the first incident report, our engineering team evaluated the situation and identified the root cause to be faulty nameservers routing users to different application code that was attempting to trick the users into phishing.Within 30 minutes after the first report, our team got GoDaddy to lock the owning account from making further changes. More information was provided to GoDaddy to authenticate ownership and gain access to ownership of the account.Within 4 hours from the time the incident was reported, GoDaddy had restored ownership access at which point Kelp team promptly restored settings to make Kelp dApp accessible to users again. At 7:30 PM UTC the same day, Kelp dApp began to offer the correct functionality. We began to gradually let users know that the dApp was safe to use again while constantly monitoring all through. The issue was fully resolved by 8:30 PM UTC, 5 hours from the time the incident was first reported.How did the attack take place?
The attackers gained access to Kelp’s domain registrar account impersonating Kelp team and successfully convinced GoDaddy’s customer support that they were the legitimate owners of the account bypassing the 2-FA that was in place. These attacks are very similar to the recent DNS hijacking that we had seen with several other crypto protocols over the last month.It is appalling to note that the Kelp team was not intimated even once when all security restrictions were bypassed by GoDaddy customer support. We are working with GoDaddy to understand further details around the situation.How do we plan to prevent similar incidents from happening?
We are actively taking precautionary measures to avoid a similar issue moving forward. You can expect to see the following changes go through over the next couple of weeks.Given the lapse of security at GoDaddy, we will be moving away from GoDaddy to another domain registrar shortly.Strengthening alerts related to abnormal UI behaviors etc.Were any users affected?
We have received a few reports from users on funds lost because of this UI attack. If you are a user affected, please enter your details here so our team can work with you to support you better.We are thankful to all of our Twitter partners, users and our team for swiftly responding so damage to users is mitigated. If you have any other concerns, please reach out to us on our Telegram channel.
Sign up for more interesting blogs & updates