Understanding the Curve
Finance DNS hijacking
On May 12, 2025, at 20:55 UTC, hackers
hijacked the “.fi” domain name system (DNS) of Curve Finance
after managing to access the registrar. They began sending its
users to a malicious website, attempting to
drain their wallets. This was the second attack on Curve
Finance’s infrastructure in a week.
Users were directed to a website that was a non-functional
decoy, designed only to trick users into providing wallet
signatures. The hack hadn’t breached the protocol’s
smart contracts and was limited to the DNS layer.
The DNS is a critical component of the internet that functions
like a phonebook. It allows you to use simple, memorable domain
names (such as facebook.com) instead of complex numerical IP
addresses (like 192.168.1.1) for websites. DNS converts these
user-friendly domain names into the IP addresses computers require
to connect.
This is not the first time Curve Finance, a
decentralized finance (DeFi) protocol, has suffered
such an attack. Back in August 2022, Curve Finance faced an
attack with similar tactics. The attackers had cloned the Curve
Finance website and interfered with its DNS settings to send users
to a duplicate version of the website. Users who tried using the
platform ended up losing their money to the attackers. The project
was using the same registrar, “iwantmyname,” at the time of the
previous attack.
How attackers execute
DNS hijacking in crypto
When a user types a web address, their device queries a DNS
server to retrieve the corresponding IP address and connect to the
correct website. In DNS hijacking, fraudsters interfere with this
process by altering how DNS queries are resolved, rerouting users
to malicious sites without their knowledge.
Fraudsters execute DNS hijacking in several ways. Attackers
might exploit vulnerabilities in DNS servers, compromise routers,
or gain access to domain registrar accounts. The objective is to
change the DNS records so that a user trying to visit a legitimate
site is redirected to a fake, lookalike page containing
wallet-draining code.
Types of DNS hijacking include:
- Local DNS hijack: Malware on a user’s device
changes DNS settings, redirecting traffic locally.
- Router hijack: Attackers compromise home or
office routers to alter DNS for all connected devices.
- Man-in-the-middle attack: Intercepts DNS
queries between user and server, altering responses on the
fly.
- Registrar-level hijack: Attackers gain access
to a domain registrar account and modify official DNS records,
affecting all users globally.
Did you know? During the Curve Finance DNS
attack in 2023, users accessing the real domain unknowingly signed
malicious transactions. The back end was untouched, but millions
were lost through a spoofed front end.
How DNS hijacking worked
in the case of Curve Finance
When attackers compromise a website with DNS hijacking,
they can reroute traffic to a malicious website without the user’s
knowledge.
There are several ways DNS hijacking can occur. Attackers might
infect a user’s device with malware that alters local DNS settings,
or they may gain control of a router and change its DNS
configuration. They may also target DNS servers or domain
registrars themselves. In such cases, they modify the DNS records
at the source, affecting all users trying to access the site.
In the case of Curve Finance, the attackers infiltrated the
systems of the domain registrar “iwantmyname” and altered the DNS
delegation of the “curve.fi” domain to redirect traffic to their
own DNS server.
A domain registrar is a company authorized to manage the
reservation and registration of internet domain names. It allows
individuals or organizations to claim ownership of a domain and
link it to web services like hosting and email.
The precise method of the breach is still under investigation.
By May 22, 2025, no evidence of unauthorized access or compromised
credentials was found.
Did you know? DNS hijacking attacks often
succeed by compromising domain registrar accounts through phishing
or poor security. Many Web3 projects still host domains with
centralized providers like GoDaddy or Namecheap.
How Curve Finance
responded to the hack
While the registrar was slow to respond, the Curve team took
measures to deal with the situation. It successfully redirected the
“.fi” domain to neutral nameservers, thus taking the website
offline while efforts to regain control continued.
To ensure safe access to the frontend and secure fund
management, the Curve team quickly launched a secure alternative at
“curve.finance,” now serving as the official Curve Finance
interface temporarily.
Upon discovering the exploit at 21:20 UTC, the following actions
were taken:
- Users were immediately notified through official channels
- Requested the takedown of the compromised domain
- Initiated mitigation and domain recovery processes
- Collaborated with security partners and the registrar to
coordinate a response.
Compromise of the domain notwithstanding, the Curve protocol and
its
smart contracts remained secure and fully operational. During
the disruption of the front end, Curve processed over $400 million
in
onchain volume. No user data was at risk, as Curve’s front end
does not store any user information.
Throughout the compromise, the Curve team was always available
through its Discord server, where users could raise issues with
them.
After implementing immediate damage control measures, the Curve
team is now taking additional steps to prepare for the future.
- Assessing and enhancing registrar-level security, incorporating
stronger protections and exploring alternative registrars
- Investigating decentralized front-end options to eliminate
dependence on susceptible web infrastructure
- Partnering with the broader DeFi and Ethereum Name Service
(ENS) communities to advocate for native browser support for “.eth”
domains.
Did you know? Unlike smart contract
exploits, DNS hijacks leave no trace onchain initially, making it
hard for users to realize they have been tricked until funds are
gone. It is a stealthy form of crypto theft.
How crypto projects can
deal with DNS hijacking vulnerability
The Curve Finance attack is concerning because it bypassed
the decentralized security mechanisms at the protocol level.
Curve’s backend, meaning its smart contracts and onchain logic,
remained unharmed, yet users lost funds because they were deceived
at the interface level. This incident underscores a significant
vulnerability in DeFi.
While the backend may be decentralized and trustless, the front
end still depends on centralized Web2 infrastructure like DNS,
hosting and domain registrars. Attackers can exploit these
centralized choke points to undermine trust and steal
funds.
The Curve attack serves as a wake-up call for the crypto
industry to explore decentralized web infrastructure, such as
InterPlanetary File System (IPFS) and Ethereum Name Service
(ENS), to reduce reliance on vulnerable centralized services.
To address the gap between decentralized backends and
centralized frontends, crypto projects must adopt a multi-layered
approach.
Here are various ways crypto projects can deal with this
gap:
- Minimize reliance on traditional DNS: They can minimize
reliance on traditional DNS by integrating decentralized
alternatives of DNS like the ENS or
Handshake, which reduce the risk of registrar-level
hijacks.
- Use decentralized file storage systems: Hosting frontends on
decentralized file storage systems such as IPFS or Arweave adds
another layer of protection.
- Implement domain name system security extensions (DNSSEC):
Teams should implement DNSSEC to verify the integrity of DNS
records and prevent unauthorized changes.
- Secure registrar accounts: Registrar accounts must be secured
with strong authentication methods, including
multifactor authentication (MFA) and domain locking.
- Train users: Educating users to verify site authenticity, such
as bookmarking URLs or checking ENS records, can reduce phishing
success rates.
Bridging the trust gap between decentralized protocols and
centralized interfaces is essential for maintaining security and
user confidence in DeFi platforms.