# Fronted Compromize Incident Response **Published by:** [Defendefi](https://paragraph.com/@defendefi/) **Published on:** 2023-12-03 **URL:** https://paragraph.com/@defendefi/frontend-compromize ## Content This article forms part of a wider series on DeFi-focused incident response plans and playbooks. Surprisingly, only 2% of surveyed DeFi protocols possess an incident response plan. These IRPs are designed to guide smaller protocols lacking such plans, especially in the event of an incident. Each plan in this series is intentionally generic, accommodating the distinctly unique characteristics of various incidents. The original playbooks can be found on Github. ScopeThis playbook is specifically designed to address incident response to a compromized frontend.1. PreparationAudit and Review: Regularly audit frontend code and dependencies for vulnerabilities.Monitoring Measures: Setup in-house monitoring to help identification of any unusual activities.Incident Response Team: Establish an incident response team to engage in a war room scenario.Regularly stocktake node packages: Maintain regular audits and stocktake of NPM packages.Store MD5 Hashes: Record and store the MD5 hashes of the web body content on each deployment.Maintain access list: Maintain and regularly audit a list of who has access to admin panel.Regular Backups: Maintain a staging environment and backups for emergency use.Pre-written Comms: Engage legal team to draft pre-written comms to use in case of emergency.Maintain contact list: Maintain a contact list with service providers and white-hats.2. IdentificationIdentify the incident from monitoring capability:Inhouse monitoring signals.Publicly Identified compromise:Members of the public have identified and alerted to the compromise.A public security service has identified the compromise.Identify the changes that resulted from the frontend compromise:Check the DNS change logs of the webpage.Have the MD5 hash changed.Filter through unusual frontend interactions.Identify any new contract addresses on the frontend.3. ResponseImmediate steps following frontend compromise detection:Secure and isolate affected assets and servers.Alert internal security teams and start emergency protocols.Issue organization-wide notifications to cease all frontend-related operations temporarily.Begin checking the software supply chain for any malicious NPM packages.Check access logs for admin panel.Liaise with service providers from contact list for:Assistance in tracking and halting malicious activities.Support in recovering compromised assets, if possible.Advice on fortifying security measures post-incident.Report any phishing contract address to chain abuseIf webpage is actively visited and user funds drained, report URL to Metamask Phishing detect.Begin distributing pre-written communications:Where possible have legal pre-read and authorize distribution.Use social profiles to distribute initial statement.4. RecoveryAnalyze the incident to determine:The vulnerability that lead to the exploit.The full extent of damages, including asset loss and data compromise (if any).Necessary improvements in security protocols and staff training for prevention.Begin backup deployment and returning webpage to normal operation:Only after access audit and package audit.Only after vulnerability identified and mitigated.Reconfigure DNS settings and review.Remove any reports to MM Phshing Detect (if applicable).Store new MD5 hash.Develop a recovery strategy encompassing:Steps for safe resumption of all operations.Stocktake of new and old server addresses following incident.Preventative measures against future incidents (bug bounties etc).Communication plans to restore trust with affected parties.Additional ResourcesCurve Finance Frontend Compromize Incident Report Velodrome Frontend Compromize Incident ReportPackage AnalysisDNS CheckerHunting Malicious PackagesMetamask Eth Phishing Detect ## Publication Information - [Defendefi](https://paragraph.com/@defendefi/): Publication homepage - [All Posts](https://paragraph.com/@defendefi/): More posts from this publication - [RSS Feed](https://api.paragraph.com/blogs/rss/@defendefi): Subscribe to updates ## Optional - [Collect as NFT](https://paragraph.com/@defendefi/frontend-compromize): Support the author by collecting this post - [View Collectors](https://paragraph.com/@defendefi/frontend-compromize/collectors): See who has collected this post