Curve Finance Suffers DNS Hijack Attack, Loses User Funds

On May 12, 2025, at 20:55 UTC, hackers successfully hijacked the “.fi” domain name system (DNS) of Curve Finance by gaining access to the registrar. This attack redirected users to a malicious website, attempting to drain their wallets. This was the second attack on Curve Finance’s infrastructure within a week. Users were directed to a non-functional decoy website designed to trick them into providing wallet signatures. The hack did not breach the protocol’s smart contracts and was limited to the DNS layer.
The DNS is a critical component of the internet that functions like a phonebook, allowing users to access websites using simple, memorable domain names instead of complex numerical IP addresses. DNS converts these user-friendly domain names into the IP addresses required for computers to connect. This is not the first time Curve Finance, a decentralized finance (DeFi) protocol, has suffered such an attack. In August 2022, Curve Finance faced a similar attack where attackers cloned the Curve Finance website and interfered with its DNS settings to send users to a duplicate version of the website, resulting in users losing their money to the attackers. The project was using the same registrar, “iwantmyname,” at the time of the previous attack.
When a user types a web address, their device queries a DNS server to retrieve the corresponding IP address and connect to the correct website. In DNS hijacking, fraudsters interfere with this process by altering how DNS queries are resolved, rerouting users to malicious sites without their knowledge. Attackers might exploit vulnerabilities in DNS servers, compromise routers, or gain access to domain registrar accounts. The objective is to change the DNS records so that a user trying to visit a legitimate site is redirected to a fake, lookalike page containing wallet-draining code. Types of DNS hijacking include local DNS hijack, router hijack, man-in-the-middle attack, and registrar-level hijack.
In the case of Curve Finance, the attackers infiltrated the systems of the domain registrar “iwantmyname” and altered the DNS delegation of the “curve.fi” domain to redirect traffic to their own DNS server. A domain registrar is a company authorized to manage the reservation and registration of internet domain names. It allows individuals or organizations to claim ownership of a domain and link it to web services like hosting and email. The precise method of the breach is still under investigation. By May 22, 2025, no evidence of unauthorized access or compromised credentials was found.
While the registrar was slow to respond, the Curve team took measures to deal with the situation. It successfully redirected the “.fi” domain to neutral nameservers, thus taking the website offline while efforts to regain control continued. To ensure safe access to the frontend and secure fund management, the Curve team quickly launched a secure alternative at “curve.finance,” now serving as the official Curve Finance interface temporarily. Upon discovering the exploit at 21:20 UTC, the following actions were taken: users were immediately notified through official channels, the takedown of the compromised domain was requested, mitigation and domain recovery processes were initiated, and collaboration with security partners and the registrar was coordinated to respond. Compromise of the domain notwithstanding, the Curve protocol and its smart contracts remained secure and fully operational. During the disruption of the front end, Curve processed over $400 million in onchain volume. No user data was at risk, as Curve’s front end does not store any user information. Throughout the compromise, the Curve team was always available through its Discord server, where users could raise issues with them.
After implementing immediate damage control measures, the Curve team is now taking additional steps to prepare for the future. These steps include assessing and enhancing registrar-level security, incorporating stronger protections and exploring alternative registrars, investigating decentralized front-end options to eliminate dependence on susceptible web infrastructure, and partnering with the broader DeFi and Ethereum Name Service (ENS) communities to advocate for native browser support for “.eth” domains. Unlike smart contract exploits, DNS hijacks leave no trace onchain initially, making it hard for users to realize they have been tricked until funds are gone. It is a stealthy form of crypto theft.
The Curve Finance attack is concerning because it bypassed the decentralized security mechanisms at the protocol level. Curve’s backend, meaning its smart contracts and onchain logic, remained unharmed, yet users lost funds because they were deceived at the interface level. This incident underscores a significant vulnerability in DeFi. While the backend may be decentralized and trustless, the front end still depends on centralized Web2 infrastructure like DNS, hosting, and domain registrars. Attackers can exploit these centralized choke points to undermine trust and steal funds. The Curve attack serves as a wake-up call for the crypto industry to explore decentralized web infrastructure, such as InterPlanetary File System (IPFS) and Ethereum Name Service (ENS), to reduce reliance on vulnerable centralized services. To address the gap between decentralized backends and centralized frontends, crypto projects must adopt a multi-layered approach. They can minimize reliance on traditional DNS by integrating decentralized alternatives of DNS like the ENS or Handshake, which reduce the risk of registrar-level hijacks. Hosting frontends on decentralized file storage systems such as IPFS or Arweave adds another layer of protection. Teams should implement DNSSEC to verify the integrity of DNS records and prevent unauthorized changes. Registrar accounts must be secured with strong authentication methods, including multifactor authentication (MFA) and domain locking. Educating users to verify site authenticity, such as bookmarking URLs or checking ENS records, can reduce phishing success rates. Bridging the trust gap between decentralized protocols and centralized interfaces is essential for maintaining security and user confidence in DeFi platforms.

Comments
No comments yet