Audit log

Every state-changing event for Neutrl DeFi DNS Frontend Hijack (March 2026): moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-06-02 20:27:23Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 423,881,784

   sig

   58rsAPiY42Xf…ZEQkPxebcopyexplorer ↗

   hash

   6sPTVaAtnCf5…M2MJ5Cufcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (22719 B) ▸

   {"actor":"system:backfill","investigation_id":"97a77c60-00a0-4afa-8175-eea7bf52050f","kind":"publish","page_slug":"neutrl-dns-hijack-march-2026","published_at":"2026-06-02T20:27:23.733Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Neutrl DeFi DNS Frontend Hijack (March 2026)","sections":[{"content":"On March 19, 2026, Neutrl DeFi — a delta-neutral synthetic dollar protocol operating on Ethereum with approximately $170 million in TVL at the time — publicly disclosed that its frontend domain had been compromised through a suspected DNS hijack. The Neutrl team posted on X: \"Out of an abundance of caution, please do not interact with the website until further updates are provided.\" The attack appeared to have targeted Neutrl's DNS provider rather than its smart contracts directly. By redirecting the domain at the infrastructure level, the attacker could present users with a visually identical malicious interface without touching any on-chain code. The incident is categorized by security researchers as an infrastructure-layer attack rather than a smart-contract exploit, and is distinct from any prior on-chain vulnerability affecting the Neutrl protocol.","heading":"Incident Overview","severity":"high","sources":[{"credibility":2,"name":"Neutrl DeFi Pauses Smart Contracts Amid Suspected DNS Frontend Hijack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"},{"credibility":2,"name":"Neutrl Front-End Attack: Users Issued Urgent Warning — CryptoNewsZ","type":"news_article","url":"https://www.cryptonewsz.com/neutrl-front-end-attack-update-urgent-security/"},{"credibility":2,"name":"Neutrl Investigates Suspected Frontend Attack — Phemex News","type":"news_article","url":"https://phemex.com/news/article/defi-protocol-neutrl-investigates-suspected-frontend-attack-67486"}]},{"content":"According to contemporaneous reporting and subsequent security analysis, the alleged attack method involved social engineering Neutrl's DNS provider rather than exploiting any technical software vulnerability. The attacker allegedly submitted a convincing request to the registrar's support team — a technique consistent with the broader 2026 DeFi frontend hijack cluster in which multiple protocols had their DNS records altered by manipulating human operators at registrars. Independent security researcher 0xGroomLake was cited as collaborating with the Neutrl team on the investigation. Security commentator YAM, cited in reporting, recommended that DeFi protocols adopt enterprise-grade registrars such as Cloudflare, MarkMonitor, or AWS Route53, enable DNSSEC, and enforce hardware security key access locks on registrar accounts to prevent recurrence. The malicious frontend specifically targeted Permit2 wallet approvals — a mechanism that, once approved, allows an external address to transfer tokens on a user's behalf without further on-chain confirmation. Two specific contract addresses were flagged as malicious by the team: 0x23f2741EaA0045038e9b52100CdcC890163dE53F and 0xa0Adf074056E41dfB892aFC69881E15073b384b9.","heading":"Attack Vector: DNS Provider Social Engineering","severity":"high","sources":[{"credibility":2,"name":"Neutrl Front-End Attack: Users Issued Urgent Warning — CryptoNewsZ","type":"news_article","url":"https://www.cryptonewsz.com/neutrl-front-end-attack-update-urgent-security/"},{"credibility":2,"name":"The .fi Files: A Field Report on DNS Hijacking in DeFi — Web3SecNews (Substack)","type":"research","url":"https://web3secnews.substack.com/p/the-fi-files-a-field-report-on-dns"},{"credibility":2,"name":"Neutrl DeFi Pauses Smart Contracts Amid Suspected DNS Frontend Hijack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"}]},{"content":"Upon detecting the compromise on March 19, 2026, Neutrl took the following precautionary steps: smart contracts were paused to prevent on-chain interactions during the period of frontend uncertainty; users were advised to refrain from all website interactions; users who had connected wallets during the compromise window were directed to revoke all Permit2 authorizations and any unknown token approvals via revoke.cash; and the two flagged malicious contract addresses were publicly disclosed. By March 21, 2026 — approximately two days after initial disclosure — Neutrl had completed a domain migration to new infrastructure (neutrl.finance for the landing page; app.neutrl.finance for the application), switched to a new DNS service provider, and unsuspended smart contracts. The team confirmed that the protocol's net asset value and reserve assets are held in custodial wallets isolated via a custodial framework and over-the-counter settlement mechanism, which structurally insulated funds from the frontend compromise. No quantified theft amount was publicly disclosed; the incident was classified among \"non-financial\" infrastructure attacks in a March 2026 crypto security summary by Cryip.","heading":"Immediate Response and Recovery","severity":"medium","sources":[{"credibility":2,"name":"Neutrl Resumes Operations After DNS Migration — Phemex News","type":"news_article","url":"https://phemex.com/news/article/neutrl-resumes-operations-after-dns-migration-posthijacking-68032"},{"credibility":2,"name":"Neutrl DNS Migration Completed, Operations Resumed — WEEX Crypto News","type":"news_article","url":"https://www.weex.com/news/detail/neutrl-dns-migration-has-been-completed-and-operations-have-resumed-the-original-domain-will-be-gradually-phased-out-393585"},{"credibility":2,"name":"Neutrl DNS Migration Completed — PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/019d0f98-33ac-76cd-9ed3-35fdc6ef1292"},{"credibility":2,"name":"March 2026 Crypto Security Report: $37.6 Million Lost Across 21 Incidents — Cryip","type":"research","url":"https://cryip.co/march-2026-crypto-security-report-37-6-million-lost-across-21-reported-incidents/"}]},{"content":"Neutrl was the victim of this incident. The compromise originated at the DNS provider or registrar level and was not caused by any code vulnerability in Neutrl's smart contracts, custodial framework, or on-chain settlement architecture. Neutrl's NUSD is built on a deterministic, fully on-chain settlement design with Chainlink oracle integration, and Hypernative served as a real-time monitoring and automated pausing layer — a security posture independent of frontend DNS infrastructure. The attacker's identity has not been publicly disclosed as of reporting date. Attribution beyond the stated social-engineering vector is not confirmed in public sources.","heading":"Victim Framing and Attribution","severity":"low","sources":[{"credibility":2,"name":"How Neutrl Built NUSD Onchain Settlement Architecture With Hypernative as Real-Time Monitor and Pauser — Hypernative","type":"official","url":"https://www.hypernative.io/blog/how-neutrl-built-nusd-onchain-settlement-architecture-with-hypernative-as-real-time-monitor-and-pauser"},{"credibility":2,"name":"Neutrl DeFi Pauses Smart Contracts Amid Suspected DNS Frontend Hijack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"}]},{"content":"Security researchers characterize the Neutrl incident as the earliest confirmed event in a six-week campaign targeting DeFi protocols through their web-layer infrastructure. At least four protocols with .fi domains were affected within a compressed window: Neutrl (March 19, 2026), HypurrFi (April 3, 2026), CoW Swap/cow.fi (April 14, 2026), and Steakhouse (also April 2026, exact date unconfirmed). Security publication Web3SecNews published a field report titled \"The .fi Files\" characterizing the attacks as a coordinated campaign rather than coincidence, noting a consistent TTP: social engineering registrar support teams by submitting fraudulent account change requests using OSINT and plausible-looking receiving domains, often bypassing credentials entirely. HypurrFi attributed its compromise to a social engineering attack on registrar Openprovider. CoW Swap's post-mortem identified the attacker as having impersonated a senior CoW DAO contributor and submitted falsified identification to Traficom (Finland's .fi TLD authority), ultimately obtaining domain control through registrar Gandi; reported user losses from CoW Swap reached approximately $1.2 million. In contrast, Neutrl's structural fund isolation meant no quantified user losses were publicly reported. The Neutrl incident thus represents both the earliest data point in the cluster and the case with the lowest confirmed financial impact, partly attributable to the protocol's rapid smart-contract pause and custodial segregation architecture.","heading":"Broader 2026 DeFi Frontend Hijack Cluster","severity":"high","sources":[{"credibility":2,"name":"The .fi Files: A Field Report on DNS Hijacking in DeFi — Web3SecNews (Substack)","type":"research","url":"https://web3secnews.substack.com/p/the-fi-files-a-field-report-on-dns"},{"credibility":2,"name":"HypurrFi Domain Hijacked in Social Engineering Attack — Phemex News","type":"news_article","url":"https://phemex.com/news/article/hypurrfi-domain-hijacked-in-social-engineering-attack-70843"},{"credibility":1,"name":"CoW Swap Pauses Protocol Amid Domain Hijacking — The Block","type":"news_article","url":"https://www.theblock.co/post/397432/cow-swap-pauses-protocol-amid-domain-hijacking"},{"credibility":2,"name":"CoW Swap Publishes Post-Mortem on Domain Hijack; User Losses Estimated at $1.2 Million — BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/cow-swap-report-says-cow-fi-domain-hijack-redirected-swap-cow-fi-to-phishing-site-estimated-user-losses-m"},{"credibility":1,"name":"HypurrFi Investigates Domain Hijacking, Warns Users — The Block","type":"news_article","url":"https://www.theblock.co/post/396336/hypurrfi-investigates-domain-hijacking-warns-users-interacting-lending-protocol"}]},{"content":"Neutrl is a DeFi protocol launched publicly in November 2025 following a $75 million pre-deposit vault campaign. Its core product, NUSD, is a delta-neutral synthetic dollar designed to capture yield from OTC altcoin arbitrage and funding rate inefficiencies. The protocol acquired locked altcoins at discounts through OTC markets and hedged the exposure using perpetual futures. Neutrl raised $5 million in seed funding in April 2025, led by STIX and Accomplice, with participation from Amber Group, SCB Limited, Figment Capital, Nascent, and angel investors including Ethena founder Guy Young and derivatives trader Joshua Lim of Arbelos Markets. CEO and co-founder Behrin Naidoo has a background in investment banking and digital assets, with prior positions at J.P. Morgan, RMI, and RMH, and holds a Master's in Finance from London Business School. Neutrl targeted $2 billion in assets under management within two years of its 2025 launch. As of the date of this incident, NUSD reported approximately $170 million in TVL on Ethereum.","heading":"Protocol Background","severity":"low","sources":[{"credibility":1,"name":"Neutrl Raises $5M to Tokenize a Popular Hedge Fund Altcoin Trade — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/04/16/neutrl-raises-usd5m-to-tokenize-a-popular-hedge-fund-altcoin-trade"},{"credibility":2,"name":"How Neutrl Built NUSD Onchain Settlement Architecture With Hypernative — Hypernative","type":"official","url":"https://www.hypernative.io/blog/how-neutrl-built-nusd-onchain-settlement-architecture-with-hypernative-as-real-time-monitor-and-pauser"},{"credibility":2,"name":"Neutrl — IQ.wiki","type":"research","url":"https://iq.wiki/wiki/neutrl"}]},{"content":"No publicly quantified theft amount has been reported for the Neutrl DNS hijack incident. The March 2026 Crypto Security Report published by Cryip classified the Neutrl compromise among \"low-level and non-financial incidents\" alongside other infrastructure attacks. The protocol stated that all user funds remained safe, attributing this to NUSD's custodial architecture: the protocol's net asset value and reserve assets are stored in custodial wallets isolated through a custodial framework and over-the-counter settlement mechanism, which structurally separates reserve assets from frontend exposure. The rapid smart-contract pause on March 19 further limited the window during which on-chain interactions could have been exploited. The absence of confirmed losses contrasts with the CoW Swap incident six weeks later, which recorded approximately $1.2 million in user losses.","heading":"Financial Impact and User Losses","severity":"medium","sources":[{"credibility":2,"name":"March 2026 Crypto Security Report: $37.6 Million Lost Across 21 Incidents — Cryip","type":"research","url":"https://cryip.co/march-2026-crypto-security-report-37-6-million-lost-across-21-reported-incidents/"},{"credibility":2,"name":"Neutrl DNS Migration Completed, Operations Resumed — WEEX Crypto News","type":"news_article","url":"https://www.weex.com/news/detail/neutrl-dns-migration-has-been-completed-and-operations-have-resumed-the-original-domain-will-be-gradually-phased-out-393585"}]},{"content":"Following the incident, security commentators highlighted several protective measures applicable to DeFi protocols: adoption of enterprise-grade registrars with strict identity verification (such as Cloudflare, MarkMonitor, or AWS Route53); enabling DNSSEC on all protocol domains; requiring hardware security keys for registrar account access; maintaining real-time monitoring for DNS record changes; and structurally isolating user fund custody from frontend infrastructure. Neutrl's post-incident migration to neutrl.finance and a new DNS provider, combined with the pre-existing custodial isolation of reserve assets, was cited in reporting as an effective response model. The Hypernative monitoring integration, which supported automated pausing of Neutrl's smart contracts, was credited in the security community as a key factor in preventing on-chain losses during the frontend compromise window.","heading":"Security Recommendations and Post-Incident Posture","severity":"low","sources":[{"credibility":2,"name":"Neutrl DeFi Pauses Smart Contracts Amid Suspected DNS Frontend Hijack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"},{"credibility":2,"name":"How Neutrl Built NUSD Onchain Settlement Architecture With Hypernative — Hypernative","type":"official","url":"https://www.hypernative.io/blog/how-neutrl-built-nusd-onchain-settlement-architecture-with-hypernative-as-real-time-monitor-and-pauser"},{"credibility":2,"name":"CoW Swap Frontend Attack Explained: DNS Hijacking — KuCoin Blog","type":"research","url":"https://www.kucoin.com/blog/cow-swap-frontend-attack-explained-dns-hijacking-how-it-works-and-how-to-protect-your-wallet-in-defi"}]}],"sources_used":[{"credibility":2,"name":"Neutrl DeFi Pauses Smart Contracts Amid Suspected DNS Frontend Hijack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"},{"credibility":2,"name":"Neutrl Front-End Attack: Users Issued Urgent Warning — CryptoNewsZ","type":"news_article","url":"https://www.cryptonewsz.com/neutrl-front-end-attack-update-urgent-security/"},{"credibility":2,"name":"Neutrl Investigates Suspected Frontend Attack — Phemex News","type":"news_article","url":"https://phemex.com/news/article/defi-protocol-neutrl-investigates-suspected-frontend-attack-67486"},{"credibility":2,"name":"Neutrl Resumes Operations After DNS Migration — Phemex News","type":"news_article","url":"https://phemex.com/news/article/neutrl-resumes-operations-after-dns-migration-posthijacking-68032"},{"credibility":2,"name":"Neutrl DNS Migration Completed, Operations Resumed — WEEX Crypto News","type":"news_article","url":"https://www.weex.com/news/detail/neutrl-dns-migration-has-been-completed-and-operations-have-resumed-the-original-domain-will-be-gradually-phased-out-393585"},{"credibility":2,"name":"Neutrl DNS Migration Completed — PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/019d0f98-33ac-76cd-9ed3-35fdc6ef1292"},{"credibility":2,"name":"Neutrl Hack (2026) — Smart Contract Hacking","type":"research","url":"https://smartcontractshacking.com/hacks/neutrl-hack-2026"},{"credibility":2,"name":"March 2026 Crypto Security Report: $37.6 Million Lost Across 21 Incidents — Cryip","type":"research","url":"https://cryip.co/march-2026-crypto-security-report-37-6-million-lost-across-21-reported-incidents/"},{"credibility":2,"name":"The .fi Files: A Field Report on DNS Hijacking in DeFi — Web3SecNews (Substack)","type":"research","url":"https://web3secnews.substack.com/p/the-fi-files-a-field-report-on-dns"},{"credibility":1,"name":"Neutrl Raises $5M to Tokenize a Popular Hedge Fund Altcoin Trade — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2025/04/16/neutrl-raises-usd5m-to-tokenize-a-popular-hedge-fund-altcoin-trade"},{"credibility":2,"name":"How Neutrl Built NUSD Onchain Settlement Architecture With Hypernative as Real-Time Monitor and Pauser — Hypernative","type":"official","url":"https://www.hypernative.io/blog/how-neutrl-built-nusd-onchain-settlement-architecture-with-hypernative-as-real-time-monitor-and-pauser"},{"credibility":2,"name":"Neutrl — IQ.wiki","type":"research","url":"https://iq.wiki/wiki/neutrl"},{"credibility":1,"name":"HypurrFi Investigates Domain Hijacking, Warns Users — The Block","type":"news_article","url":"https://www.theblock.co/post/396336/hypurrfi-investigates-domain-hijacking-warns-users-interacting-lending-protocol"},{"credibility":1,"name":"CoW Swap Pauses Protocol Amid Domain Hijacking — The Block","type":"news_article","url":"https://www.theblock.co/post/397432/cow-swap-pauses-protocol-amid-domain-hijacking"},{"credibility":2,"name":"CoW Swap Publishes Post-Mortem on Domain Hijack; User Losses Estimated at $1.2 Million — BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/cow-swap-report-says-cow-fi-domain-hijack-redirected-swap-cow-fi-to-phishing-site-estimated-user-losses-m"},{"credibility":2,"name":"CIP-86 Passed: CoW DAO Begins Compensation for April Attack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/12/cip-86-passed-cow-dao-begins-compensation-for-april-attack/"},{"credibility":2,"name":"CoW Swap Frontend Attack Explained: DNS Hijacking — KuCoin Blog","type":"research","url":"https://www.kucoin.com/blog/cow-swap-frontend-attack-explained-dns-hijacking-how-it-works-and-how-to-protect-your-wallet-in-defi"}],"summary":"On March 19, 2026, DeFi protocol Neutrl experienced a suspected DNS hijack of its frontend domain, in which attackers allegedly social-engineered the protocol's DNS provider to redirect user traffic to a malicious interface targeting Permit2 wallet approvals. Neutrl paused its smart contracts as a precaution, migrated to new infrastructure by March 21, and confirmed all user funds remained safe via the protocol's custodial isolation framework. This incident is considered the earliest confirmed event in a six-week cluster of DeFi frontend hijacks in early 2026 that also struck HypurrFi (April 3) and CoW Swap (April 14).","timeline":[{"date":"2025-04-16","event":"Neutrl raises $5 million in seed funding led by STIX and Accomplice, with participation from Amber Group, SCB Limited, Figment Capital, Nascent, Guy Young (Ethena founder), and Joshua Lim (Arbelos Markets).","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2025/04/16/neutrl-raises-usd5m-to-tokenize-a-popular-hedge-fund-altcoin-trade"},{"date":"2025-11-01","event":"Neutrl opens to the public following completion of a $75 million pre-deposit vault campaign; NUSD becomes broadly accessible.","source":"IQ.wiki","source_url":"https://iq.wiki/wiki/neutrl"},{"date":"2026-03-19","event":"Neutrl DeFi detects a malicious event affecting its frontend, attributed to a suspected DNS hijack via social engineering of the protocol's DNS provider. Smart contracts are paused as a precaution. Users warned not to interact with the website. Investigation launched with external collaborator 0xGroomLake. Malicious contract addresses 0x23f2741EaA0045038e9b52100CdcC890163dE53F and 0xa0Adf074056E41dfB892aFC69881E15073b384b9 flagged publicly.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"},{"date":"2026-03-21","event":"Neutrl completes DNS migration to new domain (neutrl.finance / app.neutrl.finance), switches to a new DNS provider, unsuspends smart contracts, and confirms all user funds are safe. Original domain (neutrl.fi) begins gradual phase-out.","source":"PANews / WEEX Crypto News","source_url":"https://www.panewslab.com/en/articles/019d0f98-33ac-76cd-9ed3-35fdc6ef1292"},{"date":"2026-04-03","event":"HypurrFi reports a domain hijack of hypurr.fi attributed to social engineering at registrar Openprovider — the second confirmed event in the 2026 DeFi frontend hijack cluster.","source":"The Block","source_url":"https://www.theblock.co/post/396336/hypurrfi-investigates-domain-hijacking-warns-users-interacting-lending-protocol"},{"date":"2026-04-14","event":"CoW Swap's cow.fi domain is hijacked at 14:54 UTC via social engineering of registrar Gandi through Traficom (Finland's .fi TLD authority). Approximately $1.2 million in user losses reported.","source":"The Block","source_url":"https://www.theblock.co/post/397432/cow-swap-pauses-protocol-amid-domain-hijacking"},{"date":"2026-04-15","event":"Web3SecNews publishes \"The .fi Files\" field report characterizing the Neutrl, HypurrFi, CoW Swap, and Steakhouse incidents as a coordinated campaign rather than isolated events.","source":"Web3SecNews (Substack)","source_url":"https://web3secnews.substack.com/p/the-fi-files-a-field-report-on-dns"},{"date":"2026-05-12","event":"CoW DAO passes CIP-86, authorizing compensation for users who lost funds in the April 14 DNS hijack. No comparable compensation proposal recorded for the Neutrl incident, consistent with reports of no confirmed user losses.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/12/cip-86-passed-cow-dao-begins-compensation-for-april-attack/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision fe781d27-7154-499d-903e-5a9c30edb586copy