Slow Mist: balancer.fi is currently under BGP Hijacking attack

ChainCatcher news, according to SlowMist Intelligence, balancer.fi is currently under a BGPHijacking attack. Accessing the website and linking a wallet may result in a phishing attack. According to CloudFlare's BGP Origin Hijack-17957, the ASN victim list includes AS13335, which is associated with balancer.fi. Currently, accessing the website will trigger a phishing security warning from CloudFlare.

Here is the analysis of this incident by the SlowMist security team:

1. Query the DNS resolution records of the domain balancer.fi (https://bgp.tools/dns/balancer.fi). The A records show addresses 104.21.37.47 and 172.67.203.244. The BGP AS region number for these two IP addresses is AS13335, which belongs to CloudFlare.
2. According to CloudFlare's records (https://radar.cloudflare.com/routing/anomalies/hijack-17957), AS13335 is on the list of ASs involved in the BGP Origin Hijack attack.
3. It was found that the HTTPS certificate for balancer.fi has been replaced with the attacker's certificate.
4. Currently, accessing https://app.balancer.fi will trigger a phishing security warning from CloudFlare.
5. Analysis shows that there is malicious JavaScript code on the frontend of app.balancer.fi (https://app.balancer.fi/js/overchunk.js).
6. Users connecting their wallets to app.balancer.fi will have their balances automatically checked by the malicious script, leading to phishing attacks.
7. After analysis by MistTrack, the malicious addresses are as follows:
   0x00006DEAcd9ad19dB3d81F8410EA2B45eA570000
   0x645710Af050E26bB96e295bdfB75B4a878088d7E
   0x0000626d6DC72989e3809920C67D01a7fe030000

The SlowMist security team reminds users that the BGP attack against balancer is still ongoing, and they should temporarily stop accessing the balancer website to avoid being attacked.