defirisk.co
rubric v1.7.0

Protocol-impersonator domain registered (typosquat)

A threat intelligence & recon factor in the v1.7.0 rubric. Measured per protocol on a e cadence.

Methodology how we score #

**What this measures** This episodic signal fires when a domain that is a typosquat or visual lookalike of the protocol's official domain has been registered within the trailing 90 days. Typosquat detection covers common substitution patterns (transposed characters, homoglyph substitutions, TLD variants, subdomain spoofing) against a monitored list of known protocol domains. Detection uses domain monitoring feeds (e.g., DNSTwist-class analysis) run at configurable intervals against the protocol's official domain. Category 11 context: typosquat domains are the infrastructure layer for phishing attacks targeting protocol users — they precede attacks by days to weeks.

**Why it matters** Typosquat domains targeting DeFi protocols are documented across five in-sample hack precedents in the T-01 database. The Curve Finance DNS hijack ($575K, 2022) showed that frontend attacks can be executed via legitimate-looking domains. Badger DAO's Cloudflare compromise exploited user trust in the official frontend. Protocol-impersonator domains targeting users of high-TVL protocols typically serve fake wallet-connection prompts, seed-phrase phishing, or malicious approval requests. A newly registered lookalike domain is often registered one to four weeks before a phishing campaign launches, providing an actionable lead time.

**Green / Yellow / Red** Green is the baseline when no typosquat domains matching the protocol's official domain patterns have been registered in the trailing 90 days per the domain monitoring feed. Yellow fires when a domain with moderate similarity (e.g., protocol-app.xyz vs protocolapp.xyz) is registered — could be a legitimate user registering a fan site or a minor variant. Red fires when a high-similarity typosquat (e.g., prrotocol.app, pr0tocol.finance) targeting the protocol's exact brand is registered within the trailing 90 days.

**Common gray cases** Gray applies when the domain monitoring feed has incomplete TLD coverage, or when the protocol operates without a traditional domain (e.g., IPFS-only frontend with ENS access), making typosquat detection inapplicable.

**Notable historical examples** No cross-hacked incidents currently linked in database for this factor.

Measurement what to look for #

Determine whether a typosquat of the official protocol domain has been registered in the last 90 days.

Data & output #

Data source
Domain monitoring feed (CertStream / PhishFort / DomainTools) filtered for protocol name variants
Output format
Green / Yellow / Red
Evidence artifact
Newly registered domain + registration date + similarity to official domain
Confidence signal
green = no typosquat registered in last 90 days; red = typosquat domain detected and active; gray = domain monitoring not configured for this protocol

Scored protocols 80 carry this factor #

Protocol RD-F-161
Aave v3 ethereum yellow Across Protocol ethereum gray Aerodrome Finance base red Axelar Network ethereum yellow Babylon Protocol bitcoin yellow Balancer (v2 + v3) ethereum yellow Beefy Finance ethereum green BENQI avalanche yellow BlackRock USD Institutional Digital Liquidity Fund (BUIDL) ethereum yellow Cap (cUSD / stcUSD) ethereum yellow Centrifuge ethereum green Chainlink CCIP ethereum red Circle USYC binance yellow Compound V3 (Comet) ethereum yellow Concrete ethereum green Convex Finance ethereum yellow crvUSD (Curve Stablecoin) ethereum yellow Curve Finance ethereum yellow deBridge ethereum gray Dolomite ethereum yellow dYdX v4 (dYdX Chain) dydx red EigenLayer ethereum yellow Ethena ethereum red ether.fi ethereum yellow Euler V2 ethereum not_assessed Falcon Finance ethereum red Fluid ethereum yellow Frax Finance ethereum yellow GMX v2 (GMX Synthetics) arbitrum not_assessed Hyperlane ethereum yellow Hyperliquid arbitrum red Jito solana yellow Jupiter solana red Jupiter Perpetual Exchange solana yellow JustLend DAO tron red Kamino Lend solana green Kinetiq hyperliquid red Lido ethereum yellow Liquid Collective (LsETH) ethereum gray Liquity V1 + V2 (LUSD / BOLD) ethereum yellow Lista DAO bsc yellow Lombard Finance ethereum red M^0 ethereum green Maple Finance ethereum yellow Marinade Finance solana red Meteora solana red mETH Protocol ethereum yellow Midas ethereum gray Morpho V1 (Morpho Blue + MetaMorpho) ethereum yellow Multipli ethereum yellow Ondo Finance ethereum gray OpenEden ethereum green Orca solana gray PancakeSwap bsc red Pendle Finance ethereum yellow Polymarket polygon yellow QuickSwap polygon yellow Raydium solana not_assessed Rocket Pool ethereum yellow Sanctum solana yellow Save (formerly Solend) solana yellow Sky Lending (formerly MakerDAO) ethereum gray Spark Protocol ethereum yellow Spiko stellar yellow Stake DAO ethereum green StakeWise v3 ethereum gray Stargate Finance ethereum gray stHYPE (Valantis Labs) hyperliquid yellow SUNSwap (sun.io) tron red Superstate ethereum yellow Sushi (SushiSwap) — v2 + v3 + Trident + BentoBox/Kashi + SushiXSwap ethereum yellow Symbiotic ethereum yellow Synapse Protocol ethereum not_assessed Uniswap (v2 + v3) ethereum yellow USDD (Decentralized USD) tron red Usual (USD0 / bUSD0 / USUAL) ethereum yellow Veda (BoringVault) ethereum gray Venus Protocol bsc yellow Wormhole ethereum green Yearn Finance ethereum yellow
15 red · 43 yellow · 8 green

Linked hacks no historical incidents linked #

No historical incidents are linked to this factor.
rubric_version v1.7.0 factor RD-F-161 category 11 carried 80 critical no