Steakhouse postmortem reveals DNS hijack caused by registrar 2FA bypass

A postmortem from Steakhouse has shed new light on a 30 March security incident. Attackers briefly hijacked its domain to serve a phishing site, exposing a critical weakness in off-chain infrastructure rather than on-chain systems.

The team confirmed that the attack stemmed from a successful social engineering attempt targeting its domain registrar, OVHcloud. This allowed the attacker to bypass two-factor authentication and take control of DNS records.

Social engineering led to full account takeover

According to the report, the attacker contacted the registrar’s support desk, impersonated the account owner, and convinced a support agent to remove hardware-based two-factor authentication.

Once access was granted, the attacker rapidly executed a series of automated actions. This included deleting existing security credentials, enrolling new authentication devices, and redirecting DNS records to infrastructure under their control.

This enabled the deployment of a cloned Steakhouse website embedded with a wallet drainer, which remained intermittently accessible for roughly four hours.

Phishing site active, but funds remained safe

Despite the severity of the breach, Steakhouse stated that no user funds were lost and no malicious transactions were confirmed.

The compromise was limited to the domain layer. On-chain vaults and smart contracts, which operate independently of the frontend, were not affected. The protocol emphasized that it holds no admin keys that could access user deposits.

Browser wallet protections from providers such as MetaMask and Phantom quickly flagged the phishing site, while the team issued a public warning within 30 minutes of detecting the incident.

Postmortem highlights vendor risk and single points of failure

The report points to a key failure in Steakhouse’s security assumptions: reliance on a single registrar whose support processes could override hardware-based protections.

The ability to disable two-factor authentication via a phone call, without robust out-of-band verification, effectively turned a credential leak into a full account takeover.

Steakhouse acknowledged that it had not adequately assessed this risk, describing the registrar as a “single point of failure” in its infrastructure.

Off-chain vulnerabilities remain a weak link

The incident underscores a broader issue in crypto security — that strong on-chain protections do not eliminate risks in surrounding infrastructure.

While smart contracts and vaults remained secure, control over DNS allowed the attacker to target users through phishing, a method increasingly common in the ecosystem.

The attack also involved tools consistent with “drainer-as-a-service” operations, highlighting how attackers continue to combine social engineering with ready-made exploit kits.

Security upgrades and next steps

Following the incident, Steakhouse has migrated to a more secure registrar. It implemented continuous DNS monitoring, rotated credentials, and launched a broader review of vendor security practices.

The team also introduced stricter controls for domain management, including hardware key enforcement and registrar-level locks.

Final Summary

• Steakhouse’s postmortem reveals that a registrar-level 2FA bypass enabled a DNS hijack, exposing users to phishing despite secure on-chain systems.
• The incident highlights how off-chain infrastructure and vendor security remain critical vulnerabilities in crypto ecosystems.