Steakhouse's $0 Hack: Smart Contracts Survive, Registrars Get Rekt

In a twist that would make even the most bullish degen raise an eyebrow, Steakhouse dropped a postmortem revealing how someone basically walked through the front door of their domain registrar on March 30. The attackers briefly hijacked the protocol's domain to serve up a phishing buffet, but here's the kicker: the on-chain stuff held strong. Turns out, when your smart contracts are airtight but your DNS is held together with nothing but vibes and a support ticket, you might have a bad time.

The attack vector was delightfully low-tech—classic social engineering aimed at OVHcloud, their domain registrar. The attacker dialed up support, pretended to be Steakhouse, and convinced a support agent to nuke the hardware-based 2FA like it was an inconvenience rather than the only thing standing between the protocol and chaos. No zero-day exploits, no flash loans, no audited reentrancy bugs. Just a smooth talker with a phone and a willingness to lie.

Once inside, the attacker went full automation: deleted existing security credentials like they were Marie Kondo-ing the account, enrolled new authentication devices faster than you can say "rug pull," and redirected DNS records to infrastructure they controlled. This let them deploy a cloned Steakhouse website with a wallet drainer embedded faster than you can say "gm." The phishing site stayed up for roughly four hours—long enough to ruin some lunches, but apparently not long enough to actually drain anyone. Progress, we guess.

Here's where the story gets almost frustrating in its anticlimax: despite attackers essentially owning the domain layer, nobody actually lost funds. No malicious transactions confirmed. The vaults sat there, chunky and untouched, because smart contracts don't care what your browser sees. They operate independently of the frontend, which means even when your website turns evil, your funds remain surprisingly apathetic about the situation. Steakhouse was also quick to note it holds no admin keys that could touch user deposits—because of course it doesn't, that's basically Web3 101.

The heroes of this story? Browser wallet protections from MetaMask and Phantom, which flagged the phishing site faster than the attackers could say "wen airdrop." Meanwhile, the Steakhouse team dropped a public warning within 30 minutes of realizing what happened. In crypto time, that's basically an Olympic sprinter. Most protocols discover they've been hacked months later while the attacker is already sipping piña coladas.

The report landed on a conclusion that would make any security auditor weep: relying on a single registrar whose support desk can be socially engineered into disabling hardware 2FA is, and we're being very technical here, bad. The ability to kill two-factor authentication with nothing but a phone call and a convincing story turned a simple credential leak into a full account