Last week, Compound Finance received reports that the “App” button on their home page redirected to a phishing site hosting a lookalike. The actual domain of the malicious site was “compoond” (.finance), which is close enough to the correct domain that users might have failed to see the small difference. With “Connect Wallet” as a prominent feature of both the real and phished versions of the site, there was high risk potential for user funds to be drained. 

Fortunately, given the timing of the attack and its rapid detection, disaster was averted. The Compound team was promptly alerted of the issue and Certora worked with other security teams to ensure the issue was communicated promptly and resolved the problem before any  damage was done.

But let’s dive into the root cause of the incident and look at some of the important lessons that can be learned. 

First, the attacker used credentials for a cloud storage bucket to upload a malicious Javascript file that was automatically deployed to https://compound.finance. There was no problem with code, smart contracts, private keys, or any of the other attack vectors we’re acutely aware of in the Web3 space. 

Instead, this was a simple infrastructure attack targeting a component that had not been touched in years by the Compound community, Certora, or any other provider to the DAO. Our takeaway: security is only as strong as the weakest link in the chain, and the weakest link is often an overlooked or forgotten part of the infrastructure  rather than a  heavily audited and tested segment.

The second insight is that developers of deep and complex technologies often assume that the hardest-to-build component of a system must  be the easiest to exploit. This is a common fallacy. While some hacks in DeFi result from subtle errors in complex math, the most common attack vector remains private key exfiltration. These attacks are often simple and decidedly uncomplex, involving emails or other phishing entry points that direct users to connect a hot wallet to a malicious site. Our takeaway: simple, social attacks are successful because they exploit humans, not code.

Building a secure system requires a comprehensive understanding of threats and vulnerabilities. Our industry is learning daily that while the on-chain threat persists, the off-chain threat is formidable and growing.