eth.limo Temporarily Hijacked: Attacker Tricks EasyDNS
The eth.limo gateway was briefly hijacked after an attacker impersonated a team member, convincing EasyDNS to initiate an account recovery flow. This incident exposed the potential risks of decentralized access relying on centralized support processes.
Understanding the Hijack
The attacker contacted EasyDNS at 7:07 p.m. EDT on April 17, posing as an eth.limo team member. The domain's nameservers were changed to Cloudflare at 2:23 a.m. EDT on April 18, triggering automated downtime alerts. The nameservers were then changed to Namecheap at 3:57 a.m. before the legitimate team regained access at 7:49 a.m.
Impact of the Breach
Phishing Risks
The compromise briefly created a potential phishing risk across a wide slice of ENS browser access, as the wildcard DNS record covers roughly 2 million ENS domains. This included high-profile destinations like Vitalik Buterin's blog at vitalik.eth.limo.
Lessons Learned
The incident highlights the importance of recovery workflows and registrar trust in maintaining the security of decentralized systems. EasyDNS accepted responsibility for the breach, describing it as their first successful social engineering incident in 28 years.
Key Takeaways
- The eth.limo hijack was a result of social engineering, not a smart contract failure or wallet compromise.
- The breach exposed the potential risks of decentralized access relying on centralized support processes.
- The incident highlights the importance of robust recovery workflows and registrar trust.
- The eth.limo team regained access to the domain within hours, minimizing the potential impact.
Frequently Asked Questions
What was the cause of the eth.limo hijack?
The hijack was caused by an attacker impersonating an eth.limo team member and convincing EasyDNS to initiate an account recovery flow.
How many ENS domains were potentially affected by the breach?
Roughly 2 million ENS domains were potentially affected by the breach, due to the wildcard DNS record covering these domains.
