The Balancer team, creators of the Ethereum-based automated market maker, revealed that a social engineering attack on its DNS service provider, EuroDNS, triggered a security breach on September 19. The breach resulted in a substantial loss of approximately $238,000 in cryptocurrency.
In a post dated September 20, the company clarified, “After investigation, it is clear that this was a social engineering attack on EuroDNS, the domain registrar used for .fi TLDs.”
Only eight hours after the initial alert, the DeFI protocol’s decentralized autonomous organization (DAO) sprang into action to combat the DNS attack and initiated efforts to restore its user interface. By 5:45 pm UTC on September 20, the company successfully regained control of its domain, securing it from further compromise. The platform also reassured users that subdomains “app.balancer.fi” and “balancer.fi” are now safe for utilization.
However, the company recommended that other projects sharing the same top-level domain explore the option of migrating to a more secure registrar to prevent similar incidents in the future.
Balancer Hacker’s Techniques Revealed
Blockchain security firms SlowMist and CertiK detailed the attacker’s techniques. They reported that the attacker utilized Angel Drainer phishing contracts. According to SlowMist, the attackers targeted the company’s website using Border Gateway Protocol hijacking, a method involving the manipulation of internet routing tables to seize control of IP addresses.
The attackers then tricked users into “approving” and transferring funds through the “transferFrom” function to the Balancer exploiter.
SlowMist suggested that the hacker, potentially linked to Russia, had converted some of the stolen Ether (ETH) into Bitcoin (BTC) via THORChain before eventually returning the ETH to the Ethereum network. This information was disclosed on September 20 by blockchain security firm SlowMist. In an earlier post, SlowMist also noted that the hacker had transferred approximately 15 wrapped-Ether (wETH.e) on the Avalanche blockchain.
Despite the company’s assurance regarding the safety of its subdomains under “balancer.fi,” users still encounter a “Deceptive site ahead” warning when attempting to access the Balancer website.