May 2025 - Curve Finance Curve.Fi DNS Hijack Malicious Frontend - $Unknown (Global)
"Curve is one of the largest decentralized exchanges (DEX) in the crypto market today, with about $1.67 billion in total value locked (TVL), according to data on DeFi TVL aggregator DeFiLlama."
Unfortunately, Curve Finance was using a lower-end domain registrar named "iwantmyname" to manage their .fi extension domain name.
"Late last night, the curve [.] fi domain was compromised at the DNS level. This exploit redirected traffic to a malicious IP not associated with Curve Finance. No smart contracts or internal systems were breached—the protocol itself remains fully operational and secure.
User funds are safe. Curve smart contracts remain secure.
The incident has not affected the protocol’s infrastructure and is strictly limited to the DNS layer."
Several users reported losing funds. However, no specific tally of funds was located yet.
"As soon as the exploit was detected, we’ve immediately taken the following steps:
Isolated the issue to the DNS layer
Initiated a full investigation
Engaged with our domain registrar and security partners
Reinforced all operational security protocols
We are actively working with the domain registrar to resolve the issue and restore normal operations as soon as possible.
This incident is not related to any breach of internal systems. Curve maintains a robust and industry standard security framework including password protection and two-factor authentication (2FA), etc, implemented long before the incident, none of which were bypassed.
The DNS incident involving curve [.] fi reflects a broader issue across the industry. In recent weeks, there has been a noticeable increase in attacks targeting the infrastructure of various crypto projects. Such incidents affect the entire market and highlight the importance of a systematic approach to protection. Curve Finance is taking all necessary measures to ensure the safety of user funds and restore the stable operation of the service.
In the meantime, avoid interacting with the curve [.] fi domain until an official update is shared through Curve Finance’s verified communication channels.
We understand the seriousness of the situation and are committed to full transparency. Our top priority is user safety and maintaining trust in Curve as public infrastructure for DeFi.
Thank you for your continued support."
Cloudflare eventually disabled the malicious front-end. Curve Finance has migrated their services to a curve.finance domain name.
It is unknown yet if Curve Finance will do anything to assist affected users.
Any investigation and potential recovery are still ongoing.
Further Analysis
Curve Finance, a major decentralized exchange with $1.67 billion in total value locked, recently experienced a DNS-level attack that compromised its curve.fi domain. The exploit, linked to a lower-tier domain registrar, redirected users to a malicious IP, though no smart contracts or internal systems were breached. While user funds within the protocol remain secure, some users reported losses due to the incident. Curve swiftly responded by isolating the issue, launching an investigation, and migrating operations to curve.finance. The attack reflects a broader trend of infrastructure-targeted threats in crypto. Recovery efforts and potential user assistance are still under review.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
ZKSync and The Matter Labs Twitter/X Hack Airdrop Scam > > < < AIBlockmind Block DevManage Set Using Official Private Key
Sources/Further Reading
Curve Finance - "Seems like http://curve.fi DNS might be hijacked. Don't interact!" - Twitter/X (Dec 31)
Blockaid - "URGENT: We have detected a potential frontend attack targeting @CurveFinance. If you're connected, please refrain from signing transactions and avoid interactions with the dApp until the issue is resolved. We’re working closely with affected partners. More updates soon." - Twitter/X (Dec 31)
Curve Finance - "Registrar support is ignoring the requests, too" - Twitter/X (Dec 31)
Curve Finance - "Nope, every password is random and secure, 2FA set up everywhere" - Twitter/X (Dec 31)
Curve Finance - "While all smart contracts are safe, the domain name points to a malicious site which can drain your wallet! We are investigating and working on recovering the access. No sign of a compromise on our side." - Twitter/X (Dec 31)
Coinspect Security - "Cloudflare (@Cloudflare) has finally blocked the compromised Curve fi frontend." - Twitter/X (Dec 31)
"Late last night, the curve [.] fi domain was compromised at the DNS level. This exploit redirected traffic to a malicious IP not associated with Curve Finance. No smart contracts or internal systems were breached—the protocol itself remains fully operational and secure." - Twitter/X (Dec 31)
Curve Finance - "Dear @iwantmyname. Your response time is totally unsacceptable: we need access to curve [.] fi taken away from hackers and the incident to be investigated. As of now, DNS still points to a drainer which can lead users to lose millions if they interact with it!" - Twitter/X (Dec 31)
Lamntt08 - "@CurveFinance Connect to Curve and got hacked, please help" - Twitter/X (Dec 31)
@getclave Twitter (Dec 31)
@poorbrah Twitter (Dec 31)
Tron says DAO X hack cost victims $45K, Curve Finance also hit - CoinTelegraph (Dec 31)
Archived tweet – Web3 is Going Just Great (Dec 31)
Curve Finance website and Twitter account hacked (Dec 31)
Understanding Curve Finance: Earn, Trade, and Farm with DeFi - Return Finance Blog (Dec 31)
What Is Curve Finance? - OSL Academy (Dec 31)
How To Use Curve Finance: A Step By Step Guide - Coin98 (Dec 31)
What Is Curve Finance in DeFi? - Binance Academy (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|