CURVE FINANCE

DESCRIPTION OF EVENTS

"Curve is one of the largest decentralized exchanges (DEX) in the crypto market today, with about $1.67 billion in total value locked (TVL), according to data on DeFi TVL aggregator DeFiLlama."

Unfortunately, Curve Finance was using a lower-end domain registrar named "iwantmyname" to manage their .fi extension domain name.

"Late last night, the curve [.] fi domain was compromised at the DNS level. This exploit redirected traffic to a malicious IP not associated with Curve Finance. No smart contracts or internal systems were breached—the protocol itself remains fully operational and secure.

User funds are safe. Curve smart contracts remain secure.

The incident has not affected the protocol’s infrastructure and is strictly limited to the DNS layer."

Several users reported losing funds. However, no specific tally of funds was located yet.

"As soon as the exploit was detected, we’ve immediately taken the following steps: Isolated the issue to the DNS layer Initiated a full investigation Engaged with our domain registrar and security partners Reinforced all operational security protocols

We are actively working with the domain registrar to resolve the issue and restore normal operations as soon as possible.

This incident is not related to any breach of internal systems. Curve maintains a robust and industry standard security framework including password protection and two-factor authentication (2FA), etc, implemented long before the incident, none of which were bypassed.

The DNS incident involving curve [.] fi reflects a broader issue across the industry. In recent weeks, there has been a noticeable increase in attacks targeting the infrastructure of various crypto projects. Such incidents affect the entire market and highlight the importance of a systematic approach to protection. Curve Finance is taking all necessary measures to ensure the safety of user funds and restore the stable operation of the service.

In the meantime, avoid interacting with the curve [.] fi domain until an official update is shared through Curve Finance’s verified communication channels.

We understand the seriousness of the situation and are committed to full transparency. Our top priority is user safety and maintaining trust in Curve as public infrastructure for DeFi.

Thank you for your continued support."

Cloudflare eventually disabled the malicious front-end. Curve Finance has migrated their services to a curve.finance domain name.

It is unknown yet if Curve Finance will do anything to assist affected users.

Any investigation and potential recovery are still ongoing.

Explore This Case Further On Our Wiki

Curve Finance, a major decentralized exchange with $1.67 billion in total value locked, recently experienced a DNS-level attack that compromised its curve.fi domain. The exploit, linked to a lower-tier domain registrar, redirected users to a malicious IP, though no smart contracts or internal systems were breached. While user funds within the protocol remain secure, some users reported losses due to the incident. Curve swiftly responded by isolating the issue, launching an investigation, and migrating operations to curve.finance. The attack reflects a broader trend of infrastructure-targeted threats in crypto. Recovery efforts and potential user assistance are still under review.

Curve Finance - "Seems like http://curve.fi DNS might be hijacked. Don't interact!" - Twitter/X (May 13)
Blockaid - "URGENT: We have detected a potential frontend attack targeting @CurveFinance. If you're connected, please refrain from signing transactions and avoid interactions with the dApp until the issue is resolved. We’re working closely with affected partners. More updates soon." - Twitter/X (May 13)
Curve Finance - "Registrar support is ignoring the requests, too" - Twitter/X (May 13)
Curve Finance - "Nope, every password is random and secure, 2FA set up everywhere" - Twitter/X (May 13)
Curve Finance - "While all smart contracts are safe, the domain name points to a malicious site which can drain your wallet! We are investigating and working on recovering the access. No sign of a compromise on our side." - Twitter/X (May 13)
Coinspect Security - "Cloudflare (@Cloudflare) has finally blocked the compromised Curve fi frontend." - Twitter/X (May 13)
"Late last night, the curve [.] fi domain was compromised at the DNS level. This exploit redirected traffic to a malicious IP not associated with Curve Finance. No smart contracts or internal systems were breached—the protocol itself remains fully operational and secure." - Twitter/X (May 13)
Curve Finance - "Dear @iwantmyname. Your response time is totally unsacceptable: we need access to curve [.] fi taken away from hackers and the incident to be investigated. As of now, DNS still points to a drainer which can lead users to lose millions if they interact with it!" - Twitter/X (May 13)
Lamntt08 - "@CurveFinance Connect to Curve and got hacked, please help" - Twitter/X (May 13)
@getclave Twitter (May 13)
@poorbrah Twitter (May 13)
Tron says DAO X hack cost victims $45K, Curve Finance also hit - CoinTelegraph (Jun 4)
Archived tweet – Web3 is Going Just Great (Jun 5)
Curve Finance website and Twitter account hacked (Jun 5)
Understanding Curve Finance: Earn, Trade, and Farm with DeFi - Return Finance Blog (Jun 5)
What Is Curve Finance? - OSL Academy (Jun 5)
How To Use Curve Finance: A Step By Step Guide - Coin98 (Jun 5)
What Is Curve Finance in DeFi? - Binance Academy (Jun 5)

More case studies

AIBlockmind Block DevManage
Set Using Official Private Key

ZKSync and The Matter Labs
Twitter/X Hack Airdrop Scam