defirisk.co
rubric v1.7.0

DNS/CDN/frontend hash drift

A real-time signals factor in the v1.7.0 rubric. Measured per protocol on a rt cadence.

Methodology how we score #

**What this measures** This real-time signal fires when the hash of the production frontend JavaScript bundle changes from the last published hash, or when a DNS configuration change is detected for the protocol's primary domain. Hash monitoring is conducted by periodic comparison of the loaded JS content against the last known-good hash stored at assessment time. DNS change detection covers nameserver changes, A-record modifications, and CDN configuration updates. Category 6 context: frontend compromises represent the off-chain attack surface that smart contract audits cannot cover; the Badger DAO and Curve Finance DNS incidents demonstrate that these attacks operate with no on-chain pre-signal.

**Why it matters** Badger DAO ($120M, 2021) is the clearest example: the Cloudflare frontend compromise injected a malicious script that inserted approval-harvesting calls into user transactions, and the malicious frontend persisted for approximately 12 days before the drain was executed. The attack would have been detected immediately by a frontend hash monitor. SwissBorg ($41.5M, 2025) involved a Kiln API compromise where malicious authorization was embedded in routine transactions — adjacent infrastructure. Curve Finance's DNS nameserver hijack ($575K) illustrates that DNS monitoring provides an independent alert channel from contract monitoring. AnySwap V3 ($7.9M, 2021) showed MPC key compromise enabling frontend-level attacks.

**Green / Yellow / Red** Green is the baseline when the frontend hash matches the last published hash and DNS records are unchanged from the baseline configuration. Yellow fires when a minor frontend update is detected that could represent a legitimate deploy — the system checks whether a corresponding GitHub release or commit was published within six hours. Red fires when a frontend hash change is detected with no corresponding public release, or when a DNS nameserver or A-record change occurs without any prior announcement from the protocol team.

**Common gray cases** Gray applies when the protocol does not have a traditional web frontend (e.g., fully on-chain UI via ENS or IPFS with content-addressed hashes), or when the CDN configuration is managed by a third party whose change events cannot be independently monitored.

**Notable historical examples** - **Badger DAO** ($120M, 2021): Cloudflare frontend compromise; malicious script injected; 12-day window before drain. - **SwissBorg (via Kiln)** ($41.5M, 2025): Third-party API compromise enabling malicious authorization in routine transactions. - **MonoX** ($31.4M, 2021): Off-chain infrastructure dependency compromise contributing to attack surface. - **AnySwap V3** ($7.9M, 2021): MPC ECDSA nonce reuse enabling off-chain signing compromise.

Measurement what to look for #

Detect whether the hash of production frontend JS changes versus the prior published hash, or a DNS config change is detected.

Data & output #

Data source
Frontend JS hash monitor (hourly fetch + compare) + DNS change detection via DNS probes
Output format
Green / Yellow / Red
Evidence artifact
Prior hash + new hash + diff description + timestamp; or DNS change record
Confidence signal
green = signal not firing; yellow = hash change from legitimate deployment (curator confirmed); red = hash change unannounced or DNS change detected; gray = frontend not monitored (no known frontend URL)

Scored protocols 80 carry this factor #

Protocol RD-F-105
Aave v3 ethereum green Across Protocol ethereum gray Aerodrome Finance base yellow Axelar Network ethereum gray Babylon Protocol bitcoin green Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche gray BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum green Cap (cUSD / stcUSD) ethereum gray Centrifuge ethereum green Chainlink CCIP ethereum green Circle USYC binance gray Compound V3 (Comet) ethereum yellow Concrete ethereum gray Convex Finance ethereum green crvUSD (Curve Stablecoin) ethereum red Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx yellow EigenLayer ethereum yellow Ethena ethereum yellow ether.fi ethereum green Euler V2 ethereum not_assessed Falcon Finance ethereum green Fluid ethereum green Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum green Hyperlane ethereum green Hyperliquid arbitrum yellow Jito solana green Jupiter solana yellow Jupiter Perpetual Exchange solana yellow JustLend DAO tron gray Kamino Lend solana green Kinetiq hyperliquid gray Lido ethereum gray Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum green Lista DAO bsc green Lombard Finance ethereum green M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana yellow Meteora solana yellow mETH Protocol ethereum green Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum green Ondo Finance ethereum green OpenEden ethereum gray Orca solana green PancakeSwap bsc yellow Pendle Finance ethereum green Polymarket polygon green QuickSwap polygon yellow Raydium solana yellow Rocket Pool ethereum gray Sanctum solana yellow Save (formerly Solend) solana gray Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum green Spiko stellar green Stake DAO ethereum green StakeWise v3 ethereum green Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid gray SUNSwap (sun.io) tron green Superstate ethereum gray Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum gray Symbiotic ethereum yellow Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron green Usual (USD0 / bUSD0 / USUAL) ethereum green Veda (BoringVault) ethereum gray Venus Protocol bsc green Wormhole ethereum green Yearn Finance ethereum yellow
1 red · 23 yellow · 33 green

Linked hacks 4 historical incidents #

causalSwissBorg (via Kiln staking partner) — Partner API compromise — withdrawal authority transfer via hidden staking instructions2025-09-08 · $42M · Partner API compromise — withdrawal authority transfer via hidden staking instructions · DNS / CDN / frontend change detected [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
causalBadger DAO (Bitcoin-yield vaults on Ethereum) — Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain2021-12-02 · $120M · Front-end injection (Cloudflare account compromise) → malicious `increaseAllowance()` approvals → vault token drain · DNS / CDN / frontend change detected [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
causalMonoX — Native token self-swap price inflation — tokenIn/tokenOut identity bypass2021-11-30 · $31M · Native token self-swap price inflation — tokenIn/tokenOut identity bypass · DNS / CDN / frontend change detected [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
causalAnySwap (Multichain) V3 — ECDSA repeated k-value (same R signature) → MPC private key back-calculation2021-07-10 · $8M · ECDSA repeated k-value (same R signature) → MPC private key back-calculation · DNS / CDN / frontend change detected [via cross-hack: Factor 8: Off-Chain Infrastructure Dependency]
rubric_version v1.7.0 factor RD-F-105 category 6 carried 80 critical no