DNS/CDN/frontend hash drift

Evidence summary #

V2+V3 combined: Highly applicable — app.uniswap.org and uniswap.org serve one of the highest-TVL DEX frontends globally (~$2.74B combined). No current DNS/frontend compromise detected (2026-05-12). No TLS cert anomaly identified. CRITICAL GAP: No JS bundle hash baseline established — static assessment cannot definitively clear without active monitoring. 2022 phishing was fake LP airdrop token, NOT DNS/frontend compromise of main interface. Yellow: high-brand-recognition elevates attack probability; monitoring infrastructure not yet live.

Detail #

Signal threshold: hash of any of {DNS A/AAAA record set, TLS cert issuer+serial, top-5 JS bundle hashes, IPFS CID} differs from last-known-good baseline AND no change-management entry in trailing 24h. Current state: app.uniswap.org and uniswap.org are live with valid TLS certificates as of assessment date. No unscheduled DNS changes detected. The 2022 phishing attack (fake UniswapLP token airdrop; ~$4.7-8M loss) was a social engineering attack via mass token airdrop to V3 LP addresses — NOT a DNS/CDN compromise of the main interface. This is a distinct attack vector from F105. No public reports of main interface compromise in 2024-2026. Yellow reasons: (a) T-09 classifies this as phase-2 signal requiring external monitoring stack; (b) Uniswap's ~$2.74B combined TVL and global DEX dominance make it the highest-priority target for DNS/frontend attacks in the coverage set; (c) no baseline hash has been established for this assessment; (d) Cloudflare, Vercel, or similar CDN configuration changes cannot be detected without active monitoring.

Sources #

Methodology #

Detect whether the hash of production frontend JS changes versus the prior published hash, or a DNS config change is detected.

See the full factor methodology and distribution across all protocols →