Curve Finance Warns Users of DNS Hijacking Attack Targeting Its Website

Update May 13, 12:33 am UTC: This article has been updated to include more information from Curve Finance.

Decentralized finance protocol Curve Finance has warned that a hacker has again hijacked its domain name system (DNS), sending users to a malicious website.

In the second attack on its infrastructure in a week, the “curve.fi DNS might be hijacked. Don’t interact!” the team said in a May 12 warning to X.

In a follow-up post to a user asking whether it was a hack or a hijack, the Curve Team said the website "Points to the wrong IP" when users try to visit. A DNS works like a directory that translates domain names into IP addresses.

The team also said in another update that the "Password is secure," its two-factor authentication was set up a "long time ago," and a question has been sent to the "registrar now."

”While all smart contracts are safe, the domain name points to a malicious site which can drain your wallet! We are investigating and working on recovering the access. No sign of a compromise on our side,” Curve said.

Curve Finance was hit with a similar front end attack in August 2022. In a post-mortem, the consensus was that the attackers managed to clone the Curve Finance website and reroute the DNS server to the fake page.

Users who attempted to use the platform had their funds drained into a pool operated by the attackers.

Decrypt has contacted Curve Finance for comment.

Onchain security firm Blockaid also detected unusual activity from the Curve website recently, warning users to stay away and avoid interacting for now.

It could be a case of a “potential frontend attack,” according to the security firm, which is when hackers target the part of the website users interact with, such as the buttons, forms, or text on the site, to steal sensitive data.

“If you’re connected, please refrain from signing transactions and avoid interactions with the DApp until the issue is resolved. We’re working closely with affected partners. More updates soon,” Blockaid said.

Earlier this year, reports suggested that a rising number of DeFi protocols were being targeted by hackers. According to Chainalysis, April saw $92 million in crypto stolen from DeFi in 12 separate incidents.

This is more than double the $41 million lost in March, and the highest total for any month since August 2022, when $143 million was stolen in seven separate incidents.

The large majority of the stolen funds were in Ether, and the majority of the protocols targeted were decentralized exchanges.