Back to Blog 
SulfurPT
PentestingWeb3 SecurityTypeScript
When Web2 Infrastructure Breaks DeFi: The Hidden Attack Surface
13 min
52 views
The Frontend Is the New Attack Surface
When we talk about DeFi security, the conversation always turns to smart contract audits. And yes, solid on-chain code is essential, but these days, it's simply not enough. Some of the biggest hacks in recent years didn't start in Solidity at all. They began in the Web2 infrastructure that connects ordinary users to the blockchain.
The stats tell a sobering story: Hacken’s 2025 Half-Year Report shows over 1.5 billion, wasn’t a flash loan exploit or a reentrancy bug. It was a clever injection into the user interface that tricked hardware wallet signers into approving a malicious transaction. Aerodrome Finance lost more than $1 million in an hour through DNS hijacking. Curve Finance had its website redirected twice in 2024–2025, draining user wallets. And the Squarespace domain hijacking campaign took down dozens of Web3 projects, including Compound and Celer Network.
If you're building or securing a DeFi protocol, here's the uncomfortable truth: your frontend, DNS, and cloud infrastructure are now part of your attack surface. Ignoring them is like installing a vault door on a tent.
The Overlooked Attack Surface: Web2 Meets Web3
Modern decentralized applications sit on a stack that mixes decentralized blockchain logic with centralized Web2 infrastructure:
1User → Browser → Frontend (React/TypeScript) → API/Backend → Cloud Services → Blockchain
Every layer introduces vulnerabilities that simply don't exist in smart contracts alone:
- DNS - The internet's phonebook. If it's compromised, users are sent to phishing sites even when they type the right URL.
- CDN & Hosting - Where your frontend code lives. A malicious script injected here runs in every visitor's browser.
- Cloud Storage - S3 buckets, GCP buckets, they often hold API keys, admin credentials, or even built wallet interfaces.
- CI/CD Pipeline - The development workflow. If compromised, attackers can inject code that ships to production unnoticed.
- Domain Registrar - The entity controlling your DNS. A weak registrar account means total frontend takeover.
These are classic Web2 security problems, but in DeFi they have on-chain consequences. A stolen API key lets an attacker submit transactions straight to your contracts. A phishing site tricks users into signing away their funds. A compromised DNS record can drain millions in hours.
Real Incidents: How Web2 Failures Drained DeFi Protocols
1. Aerodrome Finance: DNS Hijacking (November 2025)
Aerodrome Finance, Base’s largest DEX, suffered a DNS hijack that redirected users from its
.box and .finance domains to a malicious clone. The attackers changed DNS records at the registrar level (Box Domains), exploiting an insider threat at NameSilo.When users visited what looked like Aerodrome’s legitimate interface, they were prompted to connect their wallets and sign transactions that seemed harmless, the number “1” followed by a flood of unlimited approval requests. If signed, those approvals let the attacker drain ETH, WETH, USDC, and other tokens. Over $1 million disappeared within an hour.
The attack was entirely a Web2 problem: the smart contracts remained untouched. The breach happened at the DNS layer, a centralized weak point in an otherwise decentralized system. Aerodrome’s response was to point users to ENS-based mirrors that use Ethereum’s decentralized naming service instead of traditional DNS.
Prevention tip: Teams should register ENS domains as backups before incidents occur, not after. A simple
aerodrome.eth redirect could have saved users millions.2. Bybit: UI Injection via Safe Wallet (February 2025)
The largest cryptocurrency theft ever-$1.5 billion-came not from a smart contract flaw but from a malicious JavaScript file injected into Safe{Wallet}’s web interface. Attackers compromised a Safe developer’s machine and modified a specific JavaScript chunk that Bybit’s signers used to approve cold wallet transactions.
Here's how the malicious code worked:
- Detect if the current signer was one of Bybit's authorized approvers
- Save a copy of the original transaction data the signer thought they were approving
- Replace that data with a completely different operation:
delegatecallto a malicious contract that transferred ownership of the cold wallet - Have the signer approve this tampered transaction
- After signing, swap the transaction data in the UI back to the original (so the signer believed they approved something else)
The result: multiple Bybit signers unknowingly approved a transaction that handed over control of a cold wallet holding 401,347 ETH. The attackers, later identified as North Korea's Lazarus Group, quickly laundered the funds across mixers and decentralized exchanges.
The fix? Bybit and Safe added extra validation layers, but the damage was already done, all because one JavaScript file in the Web2 frontend was compromised.
Prevention tip: Require signers to verify transaction hex independently via CLI tools or hardware wallet displays, especially for high-value operations. Never trust the UI alone for critical transactions.
3. Squarespace Domain Hijacking: Mass Compromise (July 2024)
In a remarkably broad campaign, attackers exploited security weaknesses in Squarespace’s platform to compromise dozens of Web3 projects’ domains, including Compound and Celer Network, which reported frontend hijacks within days of each other.
Security weaknesses during the migration from Google Domains in 2023 were widely discussed as a contributing factor, leading to unauthorized access to some accounts and creating a significant vulnerability overnight.
Attackers used password spraying, trying a small set of common passwords against many accounts-to gain access. Without 2FA, a correct password was sufficient. Once inside, they modified DNS A records to point to phishing sites running the Inferno draining kit, which tricked users into signing draining transactions.
The incident showed how a single Web2 platform’s misconfiguration can ripple across the entire DeFi ecosystem. Projects using Squarespace suddenly found their users being robbed through no fault of their own smart contracts.
Prevention tip: Audit your domain registrar's security posture quarterly. If your registrar disables security features during migrations (like Squarespace did with 2FA), consider transferring to a provider with stronger security guarantees.
4. Cloud Misconfiguration: The Silent Threat
While Capital One was a traditional finance breach, the same class of vulnerability plagues DeFi today. The 2019 Capital One breach exemplifies this threat: a misconfigured AWS S3 bucket exposed over 100 million credit card applications, including names, addresses, credit scores, and Social Security numbers. The breach was traced back to a firewall misconfiguration that inadvertently made the bucket publicly accessible.
A Datadog 2024 State of Cloud report found that 1.48% of AWS S3 buckets are effectively public, similar to 2023’s 1.5%. While that sounds small, with millions of buckets it translates to tens of thousands of publicly accessible storage containers. For DeFi protocols, an exposed
infura.io API key in a public S3 bucket can be used to abuse infrastructure endpoints that rely on Infura (e.g., transaction relayers), submit unauthorized transactions, or exfiltrate sensitive user data.Prevention tip: Implement automated S3 bucket scanning in your CI/CD pipeline. Tools like
trufflehog or git-secrets can catch exposed keys before they reach production.Common Web2 Vulnerabilities That Drain DeFi
From the incidents above, a pattern emerges. Here are the Web2 vulnerabilities that most frequently lead to on-chain losses:
1. DNS Hijacking
Attackers modify DNS records at the registrar level to redirect users to phishing sites. Even users typing the correct URL can end up on a malicious page that looks identical to the real protocol.
Impact: Wallet draining, unlimited approval traps, loss of funds.
2. UI Injection / Malicious JavaScript
Compromised developer machines or CI/CD pipelines let attackers inject malicious JavaScript into the frontend build. This code runs in every user's browser and can manipulate transaction data before signing.
Impact: Signers approve one thing but a different transaction executes (Bybit style).
3. Cloud Misconfiguration (Exposed S3 Buckets, API Keys)
Publicly accessible cloud storage often contains sensitive credentials: Infura/Alchemy keys, AWS secret keys, admin API tokens. An attacker can use these to access backend services directly.
Impact: Unauthorized transaction submission, data exfiltration, full control of infrastructure.
Frequency: Ongoing — 1.48% of S3 buckets remain public in 2025.
4. Domain Registrar Compromise
If the registrar account protecting your domain lacks 2FA or uses weak passwords, attackers can gain control and change DNS records, SSL certificates, or even transfer the domain.
Impact: Complete frontend takeover, phishing at scale.
5. Supply Chain Attacks
Malicious packages published to npm, PyPI, or other registries can introduce backdoors into your frontend build. The September 2025 npm meltdown compromised 18 widely-used packages (chalk, debug, ansi-styles), affecting millions of downloads.
Impact: Remote code execution, data theft, crypto exfiltration.
Checklist: 10 Essential Security Controls for DeFi Protocols
To protect against these Web2-originating threats, DeFi teams should implement the following controls, categorized by effort level:
🟢 Quick Wins (Implement This Week)
- Use HSTS — Force HTTPS connections to prevent MITM attacks. One-line header addition.
- Enforce MFA for ALL admin accounts — Registrar, cloud console, GitHub, CI/CD, every account with deployment privileges. Low effort, high impact.
🟡 Medium Effort (Implement This Month)
- Audit S3 bucket permissions monthly — Ensure no public access blocks are missing; scan for exposed API keys using tools like
trufflehogorgitleaks. - Implement Content Security Policy (CSP) — Restrict which scripts can execute in your frontend; mitigate XSS and malicious script injection. Requires testing to avoid breaking legitimate scripts.
- Add Subresource Integrity (SRI) to all CDN-loaded scripts — Ensure scripts haven't been tampered with. Requires build pipeline updates.
- Integrate transaction simulation — Use tools like Tenderly or blockscout to show users exactly what will happen before they sign.
🔴 Strategic Investments (Plan for This Quarter)
- Enable DNSSEC — Sign your DNS records to prevent tampering; use a registrar with strong 2FA (avoid platforms with known 2FA issues). Requires DNS provider support and careful rollover planning.
- Adopt decentralized naming (ENS, Unstoppable Domains) — Provide users with trustless alternatives to DNS. Long-term trust infrastructure.
- Require manual transaction verification — Encourage signers to verify transaction hex via CLI tools or hardware wallet displays before signing. Requires team training and process changes.
- Conduct full-stack pentest annually — Include Web2 layers (DNS, cloud, frontend) not just smart contracts. Requires budget and scheduling.
Zealynx: Securing the Full Stack
At Zealynx, we understand that smart contract audits alone aren't enough. Our full-stack security assessments cover every layer of your DeFi protocol:
- TypeScript & Frontend Audits - Finding XSS, CSRF, insecure direct object references, and client-side bypasses. Learn more about our TypeScript audit services and why they're critical for Web3 security.
- Infrastructure Reviews - DNS security, cloud configuration, CI/CD pipeline hardening. See our complete security checklist collection for examples of our thorough approach.
- End-to-End Penetration Testing - Simulating real-world attacks that combine Web2 and Web3 vectors. We follow the same rigorous methodology as our smart contract audits, but extended to your entire stack.
We help teams uncover the hidden attack surfaces that traditional auditors overlook, the very ones responsible for billions in losses throughout 2024-2025. For more insights on audit pricing and what comprehensive security actually costs in 2026, check out our Audit Pricing Guide.
Ready to Secure Your Full Stack?
If you're preparing for a mainnet launch or scaling an existing DeFi protocol, a comprehensive security review that includes your Web2 infrastructure is no longer optional. The attack surface has expanded, and so should your defenses.
See how Zealynx can secure your full stack in 48 hours. Our team specializes in finding the vulnerabilities that traditional auditors miss, before attackers do.
Request your free security assessment today and join the protocols that trust Zealynx to protect billions in TVL.
FAQ: Web2 Security for DeFi Protocols
1. What is a Web2 attack surface in DeFi?
The Web2 attack surface in DeFi refers to all the centralized infrastructure components that connect users to on-chain protocols: DNS, frontends, CDNs, cloud storage, CI/CD pipelines, and domain registrars. Compromising any of these layers can lead to on-chain losses even if the smart contracts themselves are secure.
2. How does DNS hijacking affect DeFi protocols?
DNS hijacking redirects users from a legitimate protocol domain to a phishing site controlled by the attacker. Users who connect their wallets and sign transactions on the fake site unknowingly approve token drains or unlimited approvals. This has caused multi-million dollar losses at protocols like Aerodrome Finance and Curve Finance.
3. Can a smart contract audit prevent frontend attacks?
No. Smart contract audits only cover on-chain code. Frontend attacks like UI injection, DNS hijacking, and supply chain compromises happen entirely off-chain. Protocols need full-stack security assessments that include TypeScript audits, infrastructure reviews, and penetration testing alongside traditional smart contract audits.
4. What is the most effective defense against UI injection attacks?
The most effective defenses are: implementing Content Security Policy (CSP) headers to restrict which scripts can execute, using Subresource Integrity (SRI) to verify CDN-loaded scripts, and requiring signers to verify transaction data independently via CLI tools or hardware wallet displays rather than trusting the UI alone.
5. How can DeFi teams protect against supply chain attacks?
DeFi teams should pin dependency versions, audit package updates before merging, use lockfiles, and monitor for known vulnerabilities in their dependency tree. Automated tools like
npm audit, socket.dev, and trufflehog can catch malicious packages and exposed secrets before they reach production.6. Should DeFi protocols use decentralized DNS alternatives like ENS?
Yes. Registering an ENS domain (e.g.,
protocol.eth) as a backup provides a censorship-resistant, tamper-proof alternative that users can fall back on if traditional DNS is compromised. Several protocols now maintain ENS mirrors as part of their incident response strategy.Glossary
| Term | Definition |
|---|---|
| DNSSEC | DNS Security Extensions that cryptographically sign DNS records to prevent unauthorized modifications and hijacking attacks. |
| Content Security Policy (CSP) | HTTP response header that restricts which scripts, styles, and resources can load in a browser, mitigating XSS and code injection attacks. |
| Subresource Integrity (SRI) | Security feature that lets browsers verify externally loaded scripts and stylesheets haven't been tampered with using cryptographic hashes. |
| Transaction Simulation | Process of predicting the exact on-chain outcome of a blockchain transaction before signing, revealing hidden state changes or malicious behavior. |
| Cloud Misconfiguration | Incorrectly set permissions on cloud infrastructure (e.g., public S3 buckets) that expose sensitive data, API keys, or admin credentials. |
