Bitdefender alerting and blocking suspicious activity on Daedalus launch. Connecting to .XYZ domains triggers

Upon launch, Daedalus appears to be connecting to two different .xyz domains that is triggering Bitdefender. and

Is the Daedalus wallet connecting to every stakepool on the network? Sorry for the ignorance regarding the underlying tech, just want to understand what’s taking place behind the scenes and make things secure.

I can tell you that Malwarebytes was triggered by some domains until I made exceptions for the program files concerned. I see it as safe to do that because these are web threats and the protocol is different. A threat to Cardano protocol would have to be specifically targeted, and IMO that’s extremely unlikely.

Sure, I could whitelist them but it’s important to understand why they were triggered in the first place. With so many stake pools, I can’t imagine it’s efficient to have the wallet calling to each one of them and pulling different resources.

I’ve run a number of websites and I know that blacklisting is often due to false positive findings. Taking that fact in combination with the point I made above, that any threat would have to specifically target the protocol, I don’t worry about these programs being triggered. Of course you’re allowed to take a different view! :smile:

As for your other point, consensus is one of the most important aspects of the protocol, and I think reducing the number of nodes involved would inevitably compromise that.

I had the same issue with my Bitdefnder, you can block it, it does not affect the wallet. I ran a virus total on it, and everything came out “clean” you blocking these connections, will not interfere with your wallet if you want to be on the safe side.

When using suspicious links like that make sure you use . https://cardanopool[.]xyz and https://www.millennialsage[.]xyz

I can confirm that the Daedalus 2.1.0 app looks up tens, maybe hundreds of stake pool domain names, even in the Connecting to network phase. This includes I have a lot of these domain names automatically blocked by the DNS service I use, as they’re newly registered, but Daedalus still works.

The .xyz TLD was a few years ago on Spamhaus’ top 10 most abused list, maybe that’s why a security product is blocking it. These days the .xyz TLD is nowhere near the top 10 most abused, it’s below .com even.

I’m not sure why Daedalus would connect to all these. I assume it’s not for the core Ouroboros protocol, because I didn’t see any or similar domain names, but I did see lots of and other generic, plain domain names like

1 Like

While registering a pool, pool operators are specifying a metadata URL for a JSON file they’ll host (alongwith its hash). This is where they’ll host their stakepool information (name, ticker, description, extended metadata, etc) - as it wouldn’t make sense to store this on chain forever.

The current implementation of cardano-wallet uses the blockchain ledger to scan these URLs and fetch the ticker information on client machines. However, this is a makeshift situation - and once SMASH component is integrated, wallets will be able to query smash servers instead, and wont need to reach any of these URLs.


Seems like there would be a more efficient way to store this information and serve it from a single source rather than the wallet pulling resources from hundreds of separate domains.

But for a decentralized system, I guess it’s not possible.

Smash servers can be run by anyone. The default wallet connection will use CF/IOHK instance, but people are free to modify it to alternate instances instead.

1 Like