Ethereum co-founder Vitalik Buterin has issued an urgent public security warning, advising users to immediately avoid accessing any pages via the eth.limo gateway following a confirmed DNS registrar attack. The incident, announced by Buterin on social media platform X on April 18, 2026, highlights a critical vulnerability in the infrastructure that bridges traditional web browsers with decentralized Ethereum Name Service (ENS) domains.
The attack targeted the Domain Name System (DNS) records for eth.limo, a service that acts as a crucial Layer 2 gateway, processing between 1 and 1.5 million daily requests for over 17,000 unique ENS domains. By compromising the DNS, attackers could potentially redirect users attempting to visit addresses like vitalik.eth.limo to malicious servers, opening the door to phishing, malware, and digital asset theft. Buterin specifically warned against visiting any eth.limo-related pages until the service's team confirms full restoration.
The eth.limo team is actively working to regain control of the domain's DNS settings. Buterin noted the team reached out to him directly about the breach. As a secure workaround, he directed users to access his blog directly via the InterPlanetary File System (IPFS) at a specified hash, bypassing the compromised DNS infrastructure entirely.
This event underscores a persistent security tension in Web3: the reliance of decentralized applications on centralized web infrastructure components like DNS registrars and providers. The incident mirrors previous attacks on platforms like Curve Finance and MyEtherWallet, where DNS hijacking led to significant user losses. While the underlying ENS protocol and Ethereum blockchain remain secure, the gateway's compromise acts as a major accessibility roadblock.
Security experts point to this as a systemic vulnerability. The response protocol involves coordination with the registrar and DNS provider to revert malicious changes, followed by system audits. Buterin's rapid public warning is credited with likely limiting user exposure. No immediate reports of stolen funds have been linked to this specific attack, but the risk remains high as DNS hijacks can operate silently.
The long-term implications may accelerate development toward more resilient, decentralized access solutions, such as wider adoption of native ENS browser integration or hosting front-ends on networks like IPFS or Arweave.
