DNS Incident Recap
On March 15th, PancakeSwap was targeted by an attacker who managed to successfully gain access to our GoDaddy account and hijack our DNS (Domain Name Servers).
This was a coordinated attack and Cream.Finance was also targeted by the same malicious actor, as confirmed by the GoDaddy event log which contains the IP addresses used etc.
Simply put, while we’re still investigating, our current understanding is that the attacker managed to trick our domain registrar, GoDaddy, into giving them access to our account. They then redirected our site’s URL to a copycat site which tried to trick users into inputting their wallet’s seed phrase.
PancakeSwap’s contracts were not affected: the attack was limited only to the website front-end, which is just one way to interact with the contracts.
A simple timeline of events (all times listed are UTC+8).
21:10 — Cream announces on Twitter that their DNS has been hijacked. We begin looking at our own DNS to check if a similar issue could occur. We’re on high alert and monitoring the situation.
22:27 — PancakeSwap website becomes inaccessible. Tweet
22:36 — PancakeSwap team tweets that there’s a possibility our DNS has also been hijacked. We believe it’s better to warn early and be wrong than put users at risk by waiting. Tweet
22:42 — We confirm that our DNS has been hijacked and immediately start to work on a solution. Tweet
22:45 — We start reaching out to as many information service providers as possible that link to PancakeSwap, such as CoinGecko, CoinMarketCap etc, to remove links to PancakeSwap where possible or/and add warning notes on their sites.
22:50 — We purchase https://pancakeswap.ai as a backup domain and deploy the website to the domain.
23:00 — We begin the process to recover our DNS.
00:03 — We regain full access to our DNS and update the settings to our original Cloudflare settings. Tweet
00:30 — We help to connect C.R.E.A.M to Binance, and also aid them to recover their services.
06:00 — We deploy an IPFS backup.
00:49 — Our DNS is fully propagated and returned to normal for all users. Tweet
10:01 — @sniko_ (Harry.eth) issues a pull request to MetaMask to remove the phishing scam warning alert now that the site has fully recovered.
Do PancakeSwap users have anything to worry about?
The attacker used an unsophisticated phishing attack that required users to enter their seed phrase. If you did not enter your seed phrase on the compromised site, then there is nothing to be concerned about.
How did this happen?
We’re still in the process of investigating, but the attack on PancakeSwap aligns very closely with the C.R.E.A.M attack: It is likely the attacker socially engineered their way into our GoDaddy account through GoDaddy customer service. It’s clear that this lack of security is not unusual for GoDaddy (see: GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services).
What steps are we taking forward to prevent this from happening again?
- We are migrating from GoDaddy to MarkMonitor to ensure that our domains are managed in the most secure manner.
- We will maintain multiple backup domains, both on and off IPFS, to ensure that the site stays accessible in case of emergency.
- We’ve ensured that every account owned by the PancakeSwap team has the highest security settings available, and improved our overall security settings when accessing our services (removed legacy TLS protocols, ensured email spoofing not possible with pancakeswap.finance domain, DNSSEC)
Were any users affected?
Fortunately, we haven’t received any confirmed reports of user loss as a result of the attack so far. If you have evidence that you input your seed phrase to the fake site, and that the attacker has stolen your funds, we would recommend that you report this directly to law enforcement and follow up with Binance and other BSC-compatible exchanges to blacklist the receiving addresses.
We’d like to offer a huge thank you to all of those that reached out to help us, and for the community’s patience and support during the incident. We apologize for the inconvenience caused, and appreciate your understanding: once again we’ve been overwhelmed by the support of the community during a difficult time.
Thank you. 🐰