Neutrl Front-End Attack: Users Issued Urgent Warning

Decentralised finance protocol Neutrl is looking into a suspected security attack on its front-end interface. The security breach led to an urgent advisory for users to stop all activity on the platform and review wallet permissions.

The team shared the issue through a series of updates on X saying that its website may have been compromised. Even as the exact scope of the incident is still being probed, users have been asked to not interact with the application until further notice. The warning was issued as developers continue to examine the source and impact of the breach.

Neutrl’s Frontend Compromised by a DNS Hijack

Initial results indicate that the incident might correlate with a domain-level attack and not an underlying weakness in the smart contracts. On the project’s update, it pointed out that the domain service provider hosting the application was targeted via social engineering. Using this technique an attacker bypassed routing control of the site essentially taking the users to a malicious version of the interface. Such attacks are typically hard to identify on first glance.

Update on the ongoing security incident:

We are currently working with @0xGroomLake on the investigation. Initial findings suggest the DNS provider hosting the app domain was socially engineered, allowing an attacker to redirect the domain.

Neutrl smart contracts remain secure…

— Neutrl (@Neutrl) March 19, 2026

The platform may be similar, the same layout and functions as before. But, at the same time, the actions taken by the user can then spawn the bad requests. In this instance, the problem is related to permission approval with wallet access. Users were specifically warned by the protocol about Permit2 approvals. These permissions permit external contracts or addresses to administer tokens for the user. When an attacker gets access to them, they can make unapproved transfers without further verification. 

Neutrl has asked users to use Revoke.cash, a tool widely used to manage and cancel token approvals, to reduce potential risks. By revoking these permissions, users can prevent further access to their assets, even if a malicious approval was previously allowed.

The advisory included specific contract addresses i.e., 0x23f2741EaA0045038e9b52100CdcC890163dE53F

0xa0Adf074056E41dfB892aFC69881E15073b384b9 that should be checked and removed. Users were also encouraged to review their wallets more and revoke any permissions linked to unfamiliar addresses. The process is considered an important step in limiting exposure after such incidents and is simple as well.

Importantly, the team clarified that its smart contracts remain secure. As a precaution, they have been temporarily stopped as the investigation goes on. This step is aimed to prevent any unintended interactions until the issue is fully understood and resolved.

The nature of the attack brought to light a recurring vulnerability in decentralised applications. Even smart contracts themselves may be audited and secure, the front-end interfaces that users interact with can become targets. 

Once an attacker gets access to a domain, they can place a layer between users and the actual protocol. With this, they can intercept their actions and redirect them. This creates a situation where users believe they are using a real platform. In reality, they may be authorizing transactions that grant control over their assets. Once such permissions are put up, funds can be moved without extra approvals.

The Neutrl team has said it is working with external security specialists to probe the incident and track its origin. Further updates are expected as more details become available. A full post-incident report is also planned, which will plan the sequence of events and any measures taken to prevent similar issues in the future.

Also Read: Bonk.fun Hack Sparks Alert; Founder Puts Users First