Curve Finance Warns Users of DNS Hijacking Incident

Curve Finance, a leading decentralized finance (DeFi) protocol, has issued a critical warning to its users about a DNS hijacking incident. On May 12, the platform alerted users that its domain name system (DNS) had been compromised, potentially redirecting users to a malicious website. This is the second such attack on Curve Finance's infrastructure within a week, highlighting the ongoing security challenges faced by DeFi platforms.

The DNS hijacking incident involves an attacker gaining control of the DNS settings, which can redirect users to malicious websites or phishing pages. This can result in users unknowingly providing sensitive information or cryptocurrency assets to the attacker. Curve Finance has taken immediate action to mitigate the impact of the incident and has advised users to exercise caution when accessing the platform. The team confirmed that while all smart contracts are safe, the domain name points to a malicious site which can drain users' wallets. They are currently investigating and working on recovering access, with no signs of a compromise on their side.

In a follow-up post, the Curve Team clarified that the website "Points to the wrong IP" when users try to visit, indicating that the DNS was indeed hijacked. A DNS works like a directory that translates domain names into IP addresses, and in this case, the translation was manipulated to direct users to a malicious site. The team also assured users that their passwords are secure and that two-factor authentication has been in place for a long time. They have sent a question to the registrar to address the issue.

This is not the first time Curve Finance has faced such an issue. In August 2022, the platform experienced a similar front-end attack where attackers cloned the Curve Finance website and rerouted the DNS server to a fake page. Users who attempted to use the platform had their funds drained into a pool operated by the attackers. The consensus from the post-mortem analysis was that the attackers managed to clone the Curve Finance website and reroute the DNS server to the fake page.

Onchain security firm Blockaid also detected unusual activity from the Curve website recently, warning users to stay away and avoid interacting for now. It could be a case of a “potential frontend attack,” where hackers target the part of the website users interact with, such as the buttons, forms, or text on the site, to steal sensitive data. Blockaid advised users to refrain from signing transactions and avoid interactions with the DApp until the issue is resolved, stating that they are working closely with affected partners and will provide more updates soon.

This incident is the second time Curve Finance has been targeted in the last week. On May 5, a hacker took over the official X handle. The team clarified that the incident was limited strictly to the X account, with no other Curve accounts affected. No security issues were found on their side, no user funds were impacted, and there were no victims of phishing links that the hacker posted. Access to the Curve Finance X account was restored quickly, and the cause is still under investigation.

Ask Aime: "Does Curve Finance's DNS hijacking incident impact user funds or compromise security?"

The incident serves as a reminder to users of DeFi platforms to remain vigilant and take necessary precautions to protect their assets. This includes using hardware wallets, enabling two-factor authentication, and being cautious of phishing attempts. DeFi platforms must also continue to invest in security measures to protect against the evolving threats posed by hackers. Curve Finance has not yet provided a detailed explanation of how the DNS hijacking incident occurred or the extent of the damage caused. However, the platform has assured users that it is taking the necessary steps to resolve the issue and prevent future incidents. Users are advised to monitor the platform's official channels for updates and follow the recommended security measures to protect their assets.