Long Beach (CoinChapter): Cream Finance was one of many DeFi protocols to fall victim to a DNS hijacking on March 15. The protocol was ultimately able to regain control of its DNS and released a report detailing exactly what happened.
Cream started off the postmortem report by ensuring users their funds were safe and that they had regained control of their DNS. They also thanked the community for their support throughout the issue.
What their investigation found was that their GoDaddy account was compromised, redirecting users to a phishing page. Just five minutes after their website went down, they noticed the phishing page for the first time. Cream then noticed that their GoDaddy login credentials were compromised and they couldn’t log in.
They contacted CoinGecko, CoinMarketCap and imToken to update their website link and put up warning messages about 20 minutes later. Afterwards Cream set up a ‘war room’ to discuss how to recover their DNS before making the announcement about the hijacking on Twitter. That announcement came around 90 minutes after originally discovering the phishing page.
Two alternative websites were put up so users could continue to use Cream and they reclaimed ownership of their DNS just before 1am the following day. From the time the website went down it took the protocol around five hours to reclaim ownership.
Cream Notes That The Hack Only Affected Its Website
Cream noted that the hack affected only its website. Their smart contracts and user funds remained safe throughout the attack. They have also deployed their frontend with IPFS and added that they have full control of ENS record, which will prevent these kinds of attacks in the future.
The DeFi protocol also went through its activity log, noting that their Google account was never compromised. It also showed a password reset request sent to attacker’s email address, but no record of email address change. PancakeSwap also confirmed that the same attacker caused their DNS hijacking.
Cream finished their report by reminding users that they would never ask to submit any private key or seed phrases.