A postmortem report revealed that a security incident at Steakhouse on 30 March was caused by a domain hijack, not a protocol flaw. Attackers used social engineering to bypass two-factor authentication at the domain registrar, OVHcloud, redirecting DNS to a phishing site. No user funds were lost as on-chain systems remained secure, but the event exposed critical risks in off-chain infrastructure and vendor security.
A new postmortem has detailed a 30 March security incident at **Steakhouse**. The attack involved a brief domain hijack to serve a phishing site, exposing a weakness in off-chain infrastructure.
The team confirmed the attack stemmed from a successful social engineering attempt targeting its domain registrar, OVHcloud. This allowed the attacker to bypass two-factor authentication and take control of DNS records.
According to the report, the attacker impersonated the account owner to convince a support agent to remove hardware-based two-factor authentication. Once access was granted, the attacker deleted security credentials and redirected DNS records to their infrastructure.
This enabled the deployment of a cloned website embedded with a wallet drainer. The phishing site remained intermittently accessible for roughly four hours.
Despite the breach, Steakhouse stated that no user funds were lost and no malicious transactions were confirmed. The compromise was limited to the domain layer, leaving on-chain vaults and smart contracts unaffected.
Browser wallet protections from providers such as MetaMask and Phantom quickly flagged the phishing site. The team issued a public warning within 30 minutes of detecting the incident.
The report points to a key failure in relying on a single registrar whose support processes could override hardware-based protections. The ability to disable 2FA via a phone call turned a credential leak into a full account takeover.
Steakhouse acknowledged it had not adequately assessed this risk, describing the registrar as a “single point of failure.” The incident underscores that strong on-chain protections do not eliminate risks in surrounding infrastructure.
Following the incident, Steakhouse has migrated to a more secure registrar and implemented continuous DNS monitoring. The team also introduced stricter domain management controls, including hardware key enforcement.
