QuickSwap’s GoDaddy Domain Hijack: How it Happened & Our Proposal to Restore the Community
On Friday, May 14th at approximately 12 am UTC, hijackers gained access to QuickSwap’s DNS through a vulnerability in GoDaddy — where QuickSwap’s domain was hosted. Before QuickSwap was able to regain control of our domain, several DEX users lost money by swapping through the platform. What follows is a more detailed explanation of what happened, what we’ve done to ensure something like this doesn’t happen again, and a governance proposal about whether QuickSwap should use funds from our treasury to issue an endowment to those who were affected.
- Update: This vote concluded on May 24th. 66.1% voted in favor
- On May 14th, hijackers gained access to QuickSwap’s domain through GoDaddy
- The hijackers changed the DNS settings so that all trades would go to his or her address
- When QuickSwap recognized the issue, we immediately contacted GoDaddy and issued a warning to the community
- To combat this security breach, we have moved our DNS hosting to a more secure platform
- QuickSwap regained access to our domain on May 14th at approximately 7 am UTC
- From the start of the attack until 4 am UTC on May 18th, $107,600 was traded on the fraudulent site and was lost to the attacker
- QuickSwap deeply empathizes with our community members who were affected by the domain hijacking. We value our community above all else, which is why we are introducing a governance vote to use funds from our treasury to pay tribute to the affected parties
- The snapshot for the governance vote will take place on Friday, May 20th and the vote will run through Tuesday, May 24th
- More details follow, please read the proposal below BEFORE jumping into our discussion forums
First, some background
On May 14th at approximately 12 am UTC, attackers gained control of several DeFi platforms (including QuickSwap, SpiritSwap, and HoneySwap) domains and modified the frontend to divert funds traded on the platforms into a wallet that the attackers control.
Due to our active community and multiple reports of people not receiving traded funds in their wallets, QuickSwap quickly identified the issue and posted warnings on Twitter, Telegram, and across our social channels at around 1:45 am UTC.
As we were warning the community, QuickSwap’s co-founder and lead developer Sameep Singhania was on the phone with GoDaddy Support trying to figure out what happened and regain access to our domain. After several hours of arguing and going through multiple GoDaddy representatives, Sameep finally convinced someone on the support team to change the email address back to one that is in QuickSwap’s control. This helpful GoDaddy associate also reset the 2-factor authentication to Sameep’s control. This was all done without GoDaddy’s support staff taking a single measure to confirm Sameep’s identity or ensure that he was the rightful owner of the QuickSwap domain.
From the GoDaddy logs, we can see that someone was able to change the email address QuickSwap provided to his or her personal address. From our own experience getting the email address reset, we know how easily this can be accomplished with GoDaddy support. After gaining access to the email and 2FA, the attacker changed the password and was then able to change the DNS settings. S/he pulled the code from the beta version of our UI from GitHub and the phishing attack began. All in, approximately $107,600 USD was traded on QuickSwap during the phishing attack and lost to the attacker.
What are we doing about it?
While we’re very grateful for the kind-hearted representative who helped QuickSwap shorten the attack on our DNS, we can no longer rely on GoDaddy’s security for our exchange. In the wake of the GoDaddy hijack, QuickSwap has taken several measures to ensure that this won’t happen again.
We’ve consulted with the Polygon team and our own advisory board about options for domain hosting. After much discussion, we have now moved our DNS to a more secure platform while we continue to explore other, more decentralized options.
Now, onto the governance proposal…
We are flying in uncharted skies, and there is no precedent here. Prior to this domain hijacking, a DEX has never created an endowment to pay tribute to the affected parties of attacks.
Because we value you, our community, so highly, we would like to find a way to make those who were affected by the hijacking whole. QuickSwap is and always has been a decentralized, community-governed platform. As such, deploying funds from our treasury requires a community governance vote. Thus, we are asking the QuickSwap community: Should we use funds from our treasury to grant an endowment to those affected by the GoDaddy domain hijacking?
How much would be endowed and how would it be paid?
From the beginning of the attack until May 18th, $107,600.6754 was traded through QuickSwap and lost to the attacker. There is no expedient way to calculate how much each trade made would be worth today in the various assets people traded into and out of. Therefore, we propose to base the endowment on lost USD value to be paid in Old QUICK with a value of $77. This means the endowment would be for a total of ~1,397.42 Old QUICK.
We have already created a detailed list of every address that was affected and how much they lost. If this governance vote passes, we will distribute the endowments to the affected parties.
How would this impact QUICK’s price?
The short and most honest answer is we don’t know. Across financial markets, sentiment is low. The crypto fear and greed index is at a 2022 low, showing “extreme fear”. We don’t know how long this will last or when markets might turn around. Additionally, we don’t know what each endowment recipient would do with their QUICK.
If 100% of the endowed QUICK were dumped on the market at one time, there would be an 8.49% price impact. However, we believe it’s highly unlikely that 100% of recipients would immediately dump their QUICK. In fact, it’s also possible that if QuickSwap were to pass this governance vote, create an endowment, and restore the lost funds, community trust and faith in QuickSwap could increase.
Again, we cannot say with certainty how this endowment would affect QUICK’s price. We encourage each and every QuickSwap community member to do their own research and vote their conscience.
Should we sue GoDaddy?
We’ve done a lot of digging into who is liable for this breach. There is no question that GoDaddy’s lackluster security is the culprit. However, suing a large corporation like GoDaddy would require an expensive legal firing squad and it would take time, which our community members don’t have. We believe that suing GoDaddy would be more expensive (in both dollars and time) than the alternative route that we’ve proposed here.
This is a decision that could significantly affect our community, as such, we want all QUICK holders to participate in the vote; however, some QUICK holders aren’t currently eligible. To be qualified to vote, your QUICK must be held on the Polygon Network in a self-custodial wallet by the time of the snapshot on Friday, May 20th.
To be clear:
You are eligible to vote if you meet any of the following conditions:
- You hold Old QUICK in a MetaMask Wallet or another Polygon-enabled wallet to which you control the private keys. Please note: To qualify, your Old QUICK must be held on the Polygon Network and not on Ethereum, BSC, or any other chain.
- You hold New QUICK in a MetaMask Wallet or another Polygon-enabled wallet to which you control the private keys. Please note: To qualify, your New QUICK must be held on the Polygon Network and not on Ethereum, BSC, or any other chain.
- You deposited your Old QUICK into the Dragon’s Lair and are now holding dQUICK in its place while you accumulate more Old QUICK.
- You deposited your Old QUICK into a Dragon’s Syrup Pool and are farming other tokens with it.
- You deposited your New QUICK into a Dragon’s Syrup Pool and are farming other tokens with it.
- You are providing liquidity for select Old and New QUICK pairs on QuickSwap and have staked your LP so you’re earning trading fees and dQUICK rewards. Select pairs include:
Old QUICK — MATIC
Old QUICK — ETH
Old QUICK — TEL
Old QUICK — USDC
New QUICK — ETH
New QUICK — USDC
You are not eligible to vote if:
- You hold Old or New QUICK on a centralized exchange wallet (such as Binance, Coinbase, Crypto.com, etc) to which you do not hold the private keys.
- You hold Old or New QUICK in a self-custodial wallet (like MetaMask), but you keep that QUICK on Ethereum, BSC, or any network other than Polygon.
- You are providing liquidity for a QUICK pair not listed above on QuickSwap or for any QUICK pair on another DEX. (To be clear: Only the QUICK you are using to LP for pairs not mentioned above will be excluded from the snapshot. If you also hold QUICK that you are not using to LP with, you will be eligible to vote with that).
The snapshot will take place on Friday, May 20th, 2022. The vote will begin immediately after and will run for 5 days. Eligible QUICK holders will have the opportunity to cast their votes from Friday, May 20th — Tuesday, May 24th.
If this vote passes, QuickSwap will dispense endowments to the addresses we’ve already deemed to have been effected immediately.
How to participate in the vote
- Visit https://snapshot.org/#/quickvote.eth after the snapshot on Friday, May 20th.
- Connect your MetaMask Wallet (or other Polygon-compatible, self-custodial wallet)
- Make sure you’re connected to the Matic Mainnet
- The combined weight of Old QUICK, New QUICK, and dQUICK in your wallet at the time of the snapshot will dictate the weight of your vote
- $QUICK staked in select liquidity pools will also be counted in the weight of your vote
3. Select the open proposal titled, “Should we use funds from the treasury to grant an endowment to those affected by the GoDaddy domain hijacking?”
4. Click on the option you prefer
5. Confirm your selection in your wallet
Which way to vote?
We believe in democracy. We always encourage our community members to maintain their sovereignty, do their own research, and vote their conscience. While much of the team believes that creating this endowment to restore value to those who lost it will foster greater trust for our DEX in the long run, you may think otherwise. We invite you to come discuss the topic openly in any of our online forums. At QuickSwap, our utmost priority has always been to ensure that our DEX thrives. We know that we can’t do that without valued community members, like you. Come let us know what you’re thinking anytime.