VectorSec

5 min read

How VectorSec Uses Automation to Hunt Web2 vulnerabilities (part 1)

January 29, 2026

AutomationVulnerabilityBest Practices

How VectorSec Uses Automation to Hunt Web2 vulnerabilities (part 1)

Web3 teams often spend most of their security budget on smart contracts, but many of the incidents that actually drain users start before a single on-chain instruction runs. Frontends get redirected, credentials leak from developer workflows, and spoofed communications trick users into signing the wrong thing.

At VectorSec, we automate checks across common (and very abusable) surfaces including:

  • DNS & domain integrity (where users think they’re going)
  • GitHub secret exposure (what your code accidentally publishes)
  • Security email configuration (how attackers impersonate you)

DNS Automation: Detect hijacks, poisoned records, and risky domain changes

DNS is the map users follow to reach your app. If attackers can change that map, they can reroute users to a perfect clone and drain wallets via malicious approvals or signatures.

What we automate

  • DNS resolution monitoring across multiple regions/recursive resolvers.
  • Nameserver + registrar-change alerts.
  • Record drift detection (A/AAAA/CNAME changes, TTL anomalies, new subdomains suddenly appearing).
  • HTTPS/CT log correlation (new certificates issued).

Web3 incidents tied to DNS / domain control

Curve Finance, May 2025 - Curve reported its curve.fi domain was hijacked via a registrar-level DNS attack, redirecting users to a malicious site (smart contracts weren’t compromised, but the frontend path was).

Aerodrome Finance, Nov 2025 - Aerodrome users were warned to avoid the main domain during a suspected DNS hijacking / frontend compromise that redirected traffic to phishing infrastructure; security researchers later described wallet theft in the aftermath.

Velodrome Finance, Nov 2025 - Velodrome faced a similar centralized domain takeover/DNS redirection during the same incident window, pushing users toward fraudulent pages.

Why automation helps

DNS incidents are often short-lived. If you only learn about them online, you’re already late. Automated “diff + alert + verify” loops are what catch these in minutes rather than hours.

GitHub Secrets Automation: Find leaked credentials before attackers do

Still, the fastest way to lose money in Web3 is key/credential compromise. And the easiest way to compromise keys is to let them escape into code, even briefly, where automated scanners pick them up.

Where we scan for secrets

  • Default branches, PRs, and commit history
  • Public repos, forks (where relevant), and accidental mirrors
  • CI logs and build artifacts

Web3 incidents tied to GitHub secrets / repo compromise patterns

Trust Wallet, Dec 2025 - Trust Wallet disclosed a Chrome extension incident that resulted in roughly $7M in losses, tied to malicious code distribution and compromised credentials, with reporting noting involvement of GitHub secrets among the compromised components.

Malicious “trading bot” repo targeting Solana users, July 2025 - Researchers documented a fake open-source Solana bot on GitHub that exfiltrated private keys and drained wallets (reported theft included 1,164 SOL).

Shai-Hulud (v2), Nov 2025 - Multiple investigations described a large-scale software supply chain campaign that used automated tooling to discover and exfiltrate credentials, including abusing GitHub-related access paths and targeting widely used ecosystems.

Why automation helps

Leaks don’t need to be public for long. A key committed for 10 minutes can still be harvested, replayed, and used later. Automation is about shrinking time-to-detection and making rotation “boring and repeatable.”

Secure Email Configuration Automation: Stop spoofing, improve trust, catch reports

Email is how:

  • users receive “urgent” instructions,
  • partners share sensitive info,
  • and researchers report vulnerabilities.

If your domain can be spoofed, or if your inbox is misconfigured, attackers can impersonate you, and defenders can’t reliably reach you.

What we automate

  • SPF alignment + include hygiene
  • DKIM validity
  • DMARC policy enforcement
  • Brand + impersonation monitoring
  • lookalike domain watch
  • do you publish security.txt and a clear reporting path

Web3 incidents tied to email-based impersonation / abuse

PoisonSeed campaign, April 2025 - Threat reporting described compromises of CRM/bulk email providers (including SendGrid) used to send convincing crypto phishing at scale, pushing “seed phrase” traps and wallet-drain flows.

Ledger-targeted phishing emails, Aug 2025 - A documented campaign sent phishing emails designed to trick Ledger users into “fixing” a fake issue and handing over access via malicious flows.

Trezor phishing sent via hacked Substack newsletter, Oct 2025 - Reporting showed phishing emails impersonating Trezor distributed through a compromised newsletter account; Trezor also publicly warned users about malicious emails around this period.

Why automation helps

Email security isn’t “set and forget.” DNS records drift, vendors change, and new sending services appear (support tools, CRMs). Continuous checks prevent silent regressions that attackers love.

Closing thought

DNS integrity, GitHub secret hygiene, and email authentication are three automation pillars that repeatedly show up in real-world losses, but they’re only one slice of how VectorSec approaches automated security for Web3 teams. This is just a part of a broader system that also tracks CI/CD exposures, frontend supply-chain risk and cloud misconfigurations. Because in practice, attackers don’t care whether a weakness is “Web2” or “Web3”, they care whether it works.