Curve Finance Curve.Fi DNS Hijack Malicious Frontend
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Curve Finance, a major decentralized exchange with $1.67 billion in total value locked, recently experienced a DNS-level attack that compromised its curve.fi domain. The exploit, linked to a lower-tier domain registrar, redirected users to a malicious IP, though no smart contracts or internal systems were breached. While user funds within the protocol remain secure, some users reported losses due to the incident. Curve swiftly responded by isolating the issue, launching an investigation, and migrating operations to curve.finance. The attack reflects a broader trend of infrastructure-targeted threats in crypto. Recovery efforts and potential user assistance are still under review.[1][2][3][4][5][6][7][8][9][10][11]
About Curve Finance
"Curve is one of the largest decentralized exchanges (DEX) in the crypto market today, with about $1.67 billion in total value locked (TVL), according to data on DeFi TVL aggregator DeFiLlama."
The Reality
Unfortunately, Curve Finance was using a lower-end domain registrar named "iwantmyname" to manage their .fi extension domain name.
What Happened
The Curve Finance curve.fi domain was hijacked and directed to a malicious website. The website looks identical but requests permissions and drains connected wallets.
| Date | Event | Description |
|---|---|---|
| May 12th, 2025 9:00:00 AM MDT | Last Legitimate Front-End Update | The last known legitimate update to the Curve Finance front-end, according to Coinspect security. |
| May 12th, 2025 3:00:00 PM MDT | Untitled Event | The DNS is changed over to Cloudflare IPs 104.21.67.209 and 172.67.181.32. |
| May 12th, 2025 3:25:00 PM MDT | Curve Finance Reports Hijack | Curve Finance reports on Twitter/X that their DNS may be hijacked and recommends users "[d]on't interact". |
| May 12th, 2025 4:07:00 PM MDT | Blockaid Report Tweet | Blockaid posts to report they "have detected a potential frontend attack targeting" Curve Finance and recommends users to "please refrain from signing transactions and avoid interactions with the dApp until the issue is resolved". |
| May 12th, 2025 5:27:00 PM MDT | Curve Finance Confirms Security | Curve Finance confirms that "every password is random and secure" and that "2FA [has been] set up everywhere". |
| May 12th, 2025 5:30:00 PM MDT | Coinspect Security Analysis Thread | CoinSpect Security starts a thread and reports that "[u]sers visiting the Curve frontend are being served malicious JavaScript wallet drainer code." |
| May 13th, 2025 2:32:00 AM MDT | Response Time Is Unacceptable | Curve Finance mentions the registrar is iwantmyname and publicly calls out that their response time is "totally unsacceptable(sic)". The domain reportedly still directs to a wallet drainer at this time. |
| May 13th, 2025 5:51:00 AM MDT | Curve Finance Being Ignored | Curve Finance reports that "[r]egistrar support is ignoring the requests, too". |
| May 13th, 2025 8:24:00 AM MDT | Cloudflare Blocked Malicious Content | Coinspect Security is now reporting that Cloudflare has finally blocked the malicious Curve Finance front-end. |
Technical Details
"Late last night, the curve [.] fi domain was compromised at the DNS level. This exploit redirected traffic to a malicious IP not associated with Curve Finance. No smart contracts or internal systems were breached—the protocol itself remains fully operational and secure.
User funds are safe. Curve smart contracts remain secure.
The incident has not affected the protocol’s infrastructure and is strictly limited to the DNS layer."
Total Amount Lost
Several users reported losing funds. However, no specific tally of funds was located yet.
The total amount lost is unknown.
Immediate Reactions
"As soon as the exploit was detected, we’ve immediately taken the following steps: Isolated the issue to the DNS layer Initiated a full investigation Engaged with our domain registrar and security partners Reinforced all operational security protocols
We are actively working with the domain registrar to resolve the issue and restore normal operations as soon as possible.
This incident is not related to any breach of internal systems. Curve maintains a robust and industry standard security framework including password protection and two-factor authentication (2FA), etc, implemented long before the incident, none of which were bypassed.
The DNS incident involving curve [.] fi reflects a broader issue across the industry. In recent weeks, there has been a noticeable increase in attacks targeting the infrastructure of various crypto projects. Such incidents affect the entire market and highlight the importance of a systematic approach to protection. Curve Finance is taking all necessary measures to ensure the safety of user funds and restore the stable operation of the service.
In the meantime, avoid interacting with the curve [.] fi domain until an official update is shared through Curve Finance’s verified communication channels.
We understand the seriousness of the situation and are committed to full transparency. Our top priority is user safety and maintaining trust in Curve as public infrastructure for DeFi.
Thank you for your continued support."
Ultimate Outcome
Cloudflare eventually disabled the malicious front-end. Curve Finance has migrated their services to a curve.finance domain name.
Total Amount Recovered
It is unknown yet if Curve Finance will do anything to assist affected users.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
Any investigation and potential recovery are still ongoing.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ Curve Finance - "Seems like http://curve.fi DNS might be hijacked. Don't interact!" - Twitter/X (Accessed May 13, 2025)
- ↑ Blockaid - "URGENT: We have detected a potential frontend attack targeting @CurveFinance. If you're connected, please refrain from signing transactions and avoid interactions with the dApp until the issue is resolved. We’re working closely with affected partners. More updates soon." - Twitter/X (Accessed May 13, 2025)
- ↑ Curve Finance - "Registrar support is ignoring the requests, too" - Twitter/X (Accessed May 13, 2025)
- ↑ Curve Finance - "Nope, every password is random and secure, 2FA set up everywhere" - Twitter/X (Accessed May 13, 2025)
- ↑ Curve Finance - "While all smart contracts are safe, the domain name points to a malicious site which can drain your wallet! We are investigating and working on recovering the access. No sign of a compromise on our side." - Twitter/X (Accessed May 13, 2025)
- ↑ Coinspect Security - "Cloudflare (@Cloudflare) has finally blocked the compromised Curve fi frontend." - Twitter/X (Accessed May 13, 2025)
- ↑ "Late last night, the curve [.] fi domain was compromised at the DNS level. This exploit redirected traffic to a malicious IP not associated with Curve Finance. No smart contracts or internal systems were breached—the protocol itself remains fully operational and secure." - Twitter/X (Accessed May 13, 2025)
- ↑ Curve Finance - "Dear @iwantmyname. Your response time is totally unsacceptable: we need access to curve [.] fi taken away from hackers and the incident to be investigated. As of now, DNS still points to a drainer which can lead users to lose millions if they interact with it!" - Twitter/X (Accessed May 13, 2025)
- ↑ Lamntt08 - "@CurveFinance Connect to Curve and got hacked, please help" - Twitter/X (Accessed May 13, 2025)
- ↑ @getclave Twitter (Accessed May 13, 2025)
- ↑ @poorbrah Twitter (Accessed May 13, 2025)