eth.limo, a popular gateway for the Ethereum Name Service (ENS), suffered an unexpected social engineering attack on Friday evening, April 17. After the incident, which started when the attacker bypassed the verification processes, the authority in the registry operator EasyDNS was taken over and a temporary service interruption occurred.
Quick response and DNS redirects
During the attack, an attacker impersonating a member of the eth.limo development team was able to initiate account recovery via EasyDNS. Looking at the timeline of events, eth.limo’s name servers were first redirected to Cloudflare, then quickly to Namecheap. Team members took action with the warnings made towards the morning, and finally EasyDNS handed over control of the account back to the project.
Eth.limo offers an open source reverse proxy service that covers approximately 2 million .eth domains. It allows users to access content hosted on distributed storage systems such as IPFS, Arweave or Swarm directly from the browser. The total wildcard DNS records used by the platform were targeted during the attack, and approximately two million .eth domain names were put at serious risk.
“On behalf of everyone, I would like to apologize to the eth.limo team and the broader Ethereum community. ENS has always held a special place for us as EasyDNS was the first registrar to connect web2 domains with ENS, and we have been active in this space since 2017.”
DNSSEC and limiting the impact of the attack
DNS Security Extensions known as DNSSEC prevented the attack from causing greater damage. DNSSEC cryptographically signs DNS records, automatically blocking unverified or invalid records.
Because the attacker was unable to access the gateway system’s signing keys, the DNSSEC authentication chain was broken. Thus, service providers did not recognize the attacker’s new name server responses as valid and users were not redirected to unsecured pages.
The Eth.limo team stated that DNSSEC has narrowed the area regarding the impact of the attack and so far users have not encountered any losses. Vitalik Buterin, one of the founders of Ethereum, advised users to stay away from eth.limo connections during the outage. A day later, he announced that all controls were restored.
Statement and new measures from EasyDNS
EasyDNS CEO Mark Jeftovic stated in his blog post that such a social engineering attack was successful for the first time in the 28-year history of the company, but only eth.limo was affected. After what happened, it was decided to move eth.limo to a private platform called Domainsure, which does not have an account recovery feature. The company did not share details about what technical method the attacker used.
The number of similar incidents has been increasing lately. Last November, DNS hijacking attacks also occurred on decentralized exchanges Aerodrome and Velodrome. During these attacks, users suffered financial losses because DNSSEC was removed from the relevant domain names. In March, Steakhouse Financial and Neutrl platforms were exposed to various security vulnerabilities through social engineering.
Ironically, eth.limo had recently provided additional support by offering alternative access to DeFi platforms during the Aerodrome event in November. In the ENS DAO update, it was emphasized that eth.limo is an alternative gateway in cases where DeFi interfaces are inaccessible.
Vitalik Buterin has long pointed out the risks of the Ethereum ecosystem being too reliant on centralized domain resolution. He reminded again that developers should encourage methods that point directly to distributed networks such as IPFS.
Following the incident, the eth.limo service was completely returned to the control of its former team and the platform was reopened.
