Ether.fi asserts security updates and partners for preventing a domain account takeover before user funds were taken.
Ether.fi, a decentralized finance (DeFi) staking platform, reported that no user funds were compromised following a recent domain takeover attempt.
On Sept. 24, the protocol experienced an attempted domain account hijacking through their registrar, Gandi.net. Fortunately, the attack was stopped before any significant damage could be done.
The Ether.fi team confirmed that attackers were unable to deploy a malicious decentralized application (DApp) on any of their domains.
Ether.fi’s Response to the Attack
The breach began on Sept. 24 when Ether.fi received a recovery notification email from Gandi.net at 4:38 pm UTC.
Upon further verification using security measures like “SPF, DKIM, and DMARC authentication records,” the team realized the email was part of the attack.
According to an official post on Ether.fi’s Gitbook, “it was established an attacker attempted to use the legitimate Gandi recovery flow to gain access to etherfi’s Gandi account.” Ether.fi quickly contacted Gandi through various channels, and by 7:30 pm UTC, the account was secured to prevent further tampering.
Security Enhancements
Prior security upgrades helped mitigate the domain takeover threat. Weeks before the attack, Ether.fi had observed a rise in similar exploitation attempts across other platforms.
As a result, the protocol upgraded its key systems to require hardware authentication for account recovery and management.
The Ether.fi team credited security partners like Seal911, Doppel, Ethena, and Distrust for their swift assistance during the attack.
User Communication and Fund Safety
At 7:13 pm UTC on Sept. 24, Ether.fi advised its users via social media platform X not to “click on any links” or engage with their domain. They clarified that official updates would only come through X or Discord and not via email.
After resolving the issue, Ether.fi reassured users that “all funds are safe” and that attackers had “no opportunity” to deploy any malicious DApps “on any ether.fi-related domain.”
