How a coordinated registrar exploit exposed domain vulnerabilities across two major Web3 platforms, and what it means for DNS security in crypto.

Case Study: PancakeSwap & C.R.E.A.M. Finance

Incident: DNS Hijacking & Phishing Redirects

Date: March 15, 2021

Overview

On March 15, 2021, two major DeFi platforms on Binance Smart Chain — PancakeSwap and C.R.E.A.M. Finance — experienced simultaneous DNS hijacking attacks that redirected users to lookalike phishing websites.

The fraudulent sites were designed to extract wallet seed phrases from users under the guise of resolving errors, exposing significant risks in centralized DNS infrastructure supporting Web3 platforms.

While both platforms’ smart contracts remained secure, the incident highlighted the vulnerabilities present in traditional Web2 systems — specifically domain registrars and DNS configurations.

—

🔐 Want the full framework? Download DomainSure’s guide to Domain & DNS Security for Crypto, DeFi and Web3 Platforms.

—

Timeline of Events

• 7:30–7:45 PM (UTC+8): C.R.E.A.M. Finance users report website outages and suspicious behavior.
• ~10:30 PM: PancakeSwap experiences the same issue.
• By midnight, March 16: Engineering teams regain control over DNS records.
• Next day: Services fully restored; public communications confirm details of the incident.

Nature of the Breach

This was a DNS spoofing/phishing attack. Both official domains — pancakeswap.finance and cream.finance — were redirected to nearly identical clone sites. These fake interfaces prompted users to input their seed phrases, which were then sent to the attackers.

PancakeSwap’s cloned site displayed an alert:

“Handshake error… continue by providing seed phrase.”

This is a red flag in crypto security. No legitimate site should ever request seed phrases or private keys.

How Domain/DNS Was Exploited

Both projects were using GoDaddy as their registrar. The breach was not due to compromised internal credentials, but rather to social engineering of GoDaddy support staff.

The attacker convinced GoDaddy to update the DNS records for both domains — one after the other — within the span of one minute. This pointed both domains to malicious IPs hosting the cloned websites.

The synchronized timing of the changes indicated this was a registrar-level compromise rather than two isolated phishing campaigns.

Consequences

• No on-chain exploits: Smart contracts remained untouched.
• Conditional user losses: Users who entered their seed phrases may have had wallets drained.
• Service disruption: Each platform experienced hours of downtime.
• Reputation risk: Despite resolving the issue quickly, public trust was temporarily impacted.

Detection

• Users first reported suspicious activity.
• R.E.A.M. engineers verified DNS had been altered.
• PancakeSwap quickly followed with the same confirmation.
• Both projects immediately issued public warnings via Twitter.

Response & Recovery

1. Emergency communications: “DO NOT use the site” tweets went out promptly.
2. Coordination with aggregators: CoinMarketCap and CoinGecko were asked to flag or remove the project links temporarily.
3. DNS restoration: Engineers reversed the changes with GoDaddy.
4. Backup access: C.R.E.A.M. launched IPFS and ENS-based interfaces. PancakeSwap used a backup .ai domain.
5. Postmortems: Both platforms published incident recaps within days.

Public Communication

Both teams prioritized transparency and real-time updates via Twitter.

• R.E.A.M. tweeted at 7:43 PM UTC.
• PancakeSwap warned users by 10:36 PM, before confirming their own compromise.
• Both platforms published post-incident blogs and thanked their users, developers, and each other for collaborative mitigation.

Lessons Learned & Aftermath

Registrar Security

• PancakeSwap migrated to MarkMonitor, a registrar known for advanced DNS protection and enterprise-grade support.

Backup Interfaces

• IPFS and ENS interfaces were deployed.
• PancakeSwap secured ai for emergency fallback access.

User Education

• Users were reminded that no legitimate Web3 application should request seed phrases.
• The incident became a cautionary tale cited in wallet safety guides.

Infrastructure Hardening

• DNSSEC was implemented.
• TLS, DKIM, and SPF configurations were audited and upgraded.

Industry Impact

• The incident catalyzed DNS audits across the Web3 space.
• Several DeFi teams migrated away from GoDaddy.
• GoDaddy faced community scrutiny for lacking registrar-level safeguards.

—

Want a deeper look at how attackers exploit domain layers in DeFi and Web3 platforms?
Read the full DomainSure DNS security guide for crypto and Web3 projects.

—

Strategic Takeaways

1. Decentralized apps rely on centralized DNS.
2. Registrar support systems are exploitable attack surfaces.
3. Backups, alerts, and user warnings are non-negotiable.
4. DNSSEC, registrar locks, and enterprise-level oversight should be baseline.

Conclusion

The PancakeSwap and C.R.E.A.M. Finance hijacks showed that DNS — not smart contracts — may be the easiest entry point for attackers.

Both projects avoided direct losses due to fast detection and decisive communication, but the risk remains: if Web3 apps rely on legacy DNS infrastructure, they must apply the same threat models they use for smart contract security.

DomainSure helps secure your Web3 gateway — with active DNS monitoring, registrar lock advisory, and phishing protection tailored for crypto teams.

—

Crypto projects win when they protect their access points.

👉 Download the free Domain & DNS Security for Crypto, DeFi and Web3 Platforms white paper

Apply for a Domainsure Invite

Get a Free Domain Health Check

• Enter Your Name
• Free domain health check:
• Enter Your Email
• Email
  This field is for validation purposes and should be left unchanged.

Due to high demand: allow up to 24 hours for report delivery.