11/29/2023 — Incident Report

Velodrome (🚴,🚴)
5 min readDec 3, 2023

--

Created By: Alex, Stas, Jack

Last Modified: 2023–12–03

This document examines, in-depth, the technical, organizational, and process-oriented reasons that led to funds being drained from the velodrome.finance and aerodrome.finance domain websites.

For more information and documentation, or to ask us any further questions, please visit our Discords.

Summary

The domains velodrome.finance and aerodrome.finance went through a DNS attack which resulted in an estimated loss/damage of [up to] $250,000 to individuals who interacted with the attacker’s websites. This report represents an early and provisional understanding of the attack and may be updated and modified as the investigation continues.

Following implementation of remedial measures, continued testing, and user feedback, we found no traces of any internal/external accounts linked to Velodrome/Aerodrome and/or linked to the registrar to be compromised.

The attacker used a social engineering attack on the domain registrar to gain ownership control of the account that holds domain names, overriding 2FA and other security mechanisms. As a result, the attacker was able to change the nameservers of the domains and to route the legitimate domain traffic to malicious clones of the Velodrome/Aerodrome websites.

The attacker’s malicious websites prompted users to connect their wallets and to sign transactions which approved asset transfers to the following wallets on multiple chains:

  • 0xf64fcedfce714bbe835761e54d7067f2f8231443
  • 0x02ba13f39d7df9c3f7592257b636ed6c7cc4ae78
  • 0x554b54b6691e1f90a5902bf46d24d7f316e33b11
  • 0x927e18fd7c854f43ae9f3c6ec4d03de28ab092dc

A non-comprehensive list of IP addresses used by the attacker, likely VPN addresses, follows:

  • 51.89.204.23
  • 167.88.61.175
  • 2001:ac8:8b:26::d001

Timeline

All times ET.

[22nd of November]

-–: — First social engineering attempt directed at registrar support. The owner of the domain names is not notified. Ongoing attempts continue for multiple days, including multiple failed fake identity verifications associated with Velodrome and Aerodrome, using names that are both on and not on the registrar account.

No notification of the domain owner that this attack is underway as it proceeds.

[28nd of November]

— : — Attacker successfully gains access to account via invalid ID verification.

1:58 [First Attack Begins]
The attacker creates an API key as the owner of the account.

Nameservers got changed to harley.ns.cloudflare.com and danica.ns.cloudflare.com

2:00 Domain name owner receives the email from the registrar about the ownership change

2:31 First user report received that the websites are compromised

2:37 [First Mitigation Begins]
Investigation started and attack confirmed

2:58 The first announcements of the attack are distributed via social channels and users are advised to not use the affected domains

3:09 First attempt to reach out to the registrar.

3:13 Next attempt, followed by attempts at 6:51, 8:31, 8:56, 8:57, 9:00, 9:02, 9:10, 9:15, 9:24, 9:30

5:05 Cloudfront abuse request confirmation received

9:31 The registrar returns the call and is requested to freeze the account and remove any nameservers, initiate an investigation and help with access recovery. The registrar requests 1 hour before being able to escalate the case.

9:55 The registrar sends an email requesting the account to KYC

11:05 The non-owner user (domain names technical contact / authorized user) submits the KYC

13:11 The registrar requests the owner to KYC

13:12 The registrar is requested to do the KYC while on call with them to speed up the things

13:13 Cloudflare escalated the abuse request

13:20 The registrar is reached out on the phone with the request to freeze the account and remove the nameservers. The KYC is requested again and the conversation ends.

13:36 The registrar representative returns the call to assist with the KYC process and locks down the account. The KYC passes and the attacker nameservers’ removal is accepted.

13:49 [First Attack Ends]
The nameservers removal confirmed

14:00 Owner account restored. The access is still locked due to the 2FA reset.

14:00 Cloudflare is reached to remove the restrictions/abuse on the domain names. The registrar is using Cloudflare nameservers, having in place abuse restrictions, these refuse to work for the affected domain names.

14:13 The registrar is reached out to assist with 2FA reset

14:46 The registrar reaches to assist with the 2FA reset

16:51 The registrar is reached to help lift the restrictions on the Cloudflare nameservers

16:54 The registrar is reached out via phone to confirm they are working on lifting the restrictions with Cloudflare

18:07 The owner account was restored

[30th of November]

7:43 Nameservers moved to he.net and DNS records restored

7:53 [First Mitigation Ends]
Domain names were restored to serve the correct websites

8:01 Metamask team is requested to lift up the restrictions/alerts

9:59 Metamask restrictions/alerts lifted

12:00 Legal council call on the next steps

13:44 Cloudflare restrictions for the affected domain names lifted

15:30 DNS vendor call on the next steps to migrate the domain names

[1st of December]

21:42 [Second Attack Begins]
First user report that the websites are compromised again

21:42 [Second Mitigation Begins]
Investigation started and confirmed we are under attack, the attacker nameservers were added back

21:46 First announcement about the second attack went out

21:56 First attempt to reach out to the registrar via all available channels

22:17 The registrar VP was reached and the case got escalated

22:38 The registrar reached out and started freezing the domain name access

23:13 [Second Attack Ends]
The nameservers were restored to point to the safe websites. The registrar is requested to do an audit of the access to our domain names and owner account. The attacker API key is removed. The domain names are requested to be locked at the TLD level pending a transfer in the next few days.

[2nd of December]

00:16 [Second Mitigation Ends]
Announcement about the services being restored is out

Root Cause

The root cause of the attack were multiple carefully orchestrated socially engineered attempts to take over the access to the velodrome.finance and aerodrome.finance domain names. Lack of verified ownership records (generally a yearly requirement by ICANN) for the domain names and lack of alerting protocols to break-in attempts over a series of days led to access being granted to the attacker, in breach of the registrar’s 2FA requirement. The registrar’s delayed reactions to standard OPSec demands to freeze the domain operations and failure to implement control/direct-line over the nameserver restrictions (managed by the registrar partner) provided the attacker with a generous time period to conduct the attack.

Action Items

DEVCO-68: Collect affected users transaction and KYC details for potential mitigation program

DEVCO-69: Launch bounty program to facilitate the return of funds and further investigation of the attack

DEVCO-70: Finalize the review of the decentralized and non-decentralized DNS providers and transfer the domain names to the new infrastructure

Appendix

We’re still working together with all the parties on gathering the logs and supporting material to better understand the attack and attacker.

Dune query returning all the wallets, amounts and transactions towards the attacker addresses: https://dune.com/queries/3249843

--

--

Velodrome (🚴,🚴)
Velodrome (🚴,🚴)

Written by Velodrome (🚴,🚴)

The central trading and liquidity marketplace on Optimism.

Responses (3)