Neutrl Pauses Protocol on March 19 Following DNS Hijack
The decentralized finance protocol Neutrl suspended its platform on March 19 after its front-end was compromised. The team announced via X that it suspected a frontend attack, advising users to immediately cease all interaction with its website. Initial findings revealed the incident was not a smart contract exploit but a domain name system (DNS) hijack. Attackers used social engineering to gain control of the app domain from the provider, redirecting traffic to a malicious replica of the Neutrl interface.
In response, Neutrl took its smart contracts offline as a precautionary measure to prevent any interaction with the compromised frontend. The team is collaborating with security firm @0xGroomLake to investigate the breach and has committed to releasing a full post-incident report.
Attackers Tricked Users Into Granting Malicious Permissions
The primary goal of the attack was to deceive users into approving malicious Permit2 permissions. These permissions allow external contracts to manage a user's tokens, and granting them to a fraudulent address gives attackers the ability to drain funds from the user's wallet without further confirmation. The cloned website appeared identical to the legitimate one, making the malicious approval requests difficult for users to detect.
Neutrl advised users to use services like Revoke.cash to cancel any permissions granted to two specific malicious contract addresses:
0x23f2741EaA0045038e9b52100CdcC890163dE53F0xa0Adf074056E41dfB892aFC69881E15073b384b9
Update on the ongoing security incident: We are currently working with @0xGroomLake on the investigation. Initial findings suggest the DNS provider hosting the app domain was socially engineered, allowing an attacker to redirect the domain. Neutrl smart contracts remain secure…
— Neutrl, March 19, 2026
Frontend Security Remains a Critical DeFi Vulnerability
This incident highlights a persistent weak point in the decentralized finance ecosystem. While protocols often invest heavily in auditing their smart contracts, the user-facing frontend remains a prime target for attackers. By compromising the website layer through DNS or other means, hackers can intercept user actions and steal assets without ever breaching the underlying blockchain protocol. This type of attack exploits user trust in the website interface, turning a secure backend into a trap.
