Table of Contents
Decentralized exchange protocol Curve Finance confirmed on Tuesday that its web front-end was compromised in a domain name system (DNS) attack, with user traffic rerouted to a malicious clone of the site. While the protocol’s smart contracts remain secure, the team has urged users to steer clear of the main domain until further notice.
In a post on social media, Curve stated that the incident involved attackers altering DNS records to redirect traffic to an IP address under their control. This allowed the malicious site to impersonate Curve’s interface, potentially tricking unsuspecting users into approving harmful token transactions.
“Smart contracts are unaffected and user funds are secure,” the Curve team emphasized. However, they warned that users interacting with the front-end site during the attack could have been exposed to phishing mechanisms.
DNS: A Weak Link in Crypto Infrastructure
Curve Finance pointed to a broader industry trend: “This DNS compromise is not isolated, there’s been a notable uptick in attacks on the infrastructure layer of crypto projects over the past few weeks.”
The attack was first flagged on Monday afternoon, prompting Curve’s security team to act swiftly. The breach was “strictly limited to the DNS layer,” and their core infrastructure, including smart contracts and back-end systems, was untouched.
The team has since worked with its domain registrar and third-party security partners to neutralize the threat. “Preventative systems were already in place before the breach,” the project noted, suggesting that existing defenses were effective in containing the scope of the incident.
What the Hack Went Wrong
DNS records are responsible for translating a website’s domain name into an IP address, directing users to the correct server. By altering these records, attackers were able to divert traffic to a phishing site that mimicked Curve’s actual web app.
The clone likely embedded malicious scripts designed to prompt users into connecting wallets and unknowingly signing approvals, effectively giving attackers control over their tokens.
“These kinds of DNS attacks represent a form of infrastructure-level social engineering,” said Meir Dolev, CTO and co-founder of blockchain security firm Cyvers. “Even when users see the correct domain in their browser, they might still be interacting with a fraudulent interface.”
Unlike typical smart contract exploits, DNS attacks don’t target the blockchain itself but instead exploit the layer of trust between users and the user interface of a decentralized application. “If users engage directly with Curve’s verified contracts, they’re generally safe,” Dolev added.
A Familiar Threat
This isn’t Curve Finance’s first encounter with DNS-related threats.
In August 2022, a similar DNS hijacking incident allowed attackers to redirect Curve users to a fake front-end, resulting in over $570,000 in losses. Curve advised users to revoke token approvals and floated a possible migration to Ethereum Name Service (ENS) domains as a more decentralized and tamper-resistant alternative.
In 2023, Curve was again in the spotlight when a vulnerability in certain versions of the Vyper programming language exposed multiple DeFi protocols, including Curve’s CRV/ETH liquidity pool. That exploit led to a reported $24 million in collective losses across affected platforms.
Decentralized But Still Vulnerable
Despite being a cornerstone of DeFi, Curve’s continued struggles with front-end vulnerabilities highlight a key risk in decentralized systems. Reliance on centralized web infrastructure like DNS providers and domain registrars is always an unfortunate dependency.
While Curve’s underlying contracts and protocol logic are decentralized and secure, its web-facing elements remain vulnerable to traditional attack vectors.
“Web2 infrastructure still serves as the gateway to Web3,” Dolev said. “Until projects fully embrace decentralized front-ends and alternative naming systems, users will continue to face risks at the interface level.”
Curve has not disclosed the duration of the DNS hijack or how many users may have interacted with the fake site. Investigations are ongoing, and users are being urged to avoid the site until an all-clear is given.
For now, users are advised to interact directly with Curve contracts via trusted wallets or explore ENS-based alternatives when available.
