Understanding Curve Finance DNS Hijacking
On May 12, 2025, at 20:55 UTC, hackers Hijacked The “.FI” Domain Name System (DNS) of Curve Finance after management to access the register. They started sending its users to a malicious website, trying to Drain their wallets. This is the second attack on curve finance infrastructure in a week.
Users are directed to a website that is a non -working decoy, which is only designed to deceive users in providing purse signatures. Hack did not violate protocol Smart contracts and limited to the DNS layer.
DNS is a critical element of the Internet that performs like a phonebook. It allows you to use simple, memorable domain names (such as facebook.com) instead of complex IP numbers (such as 192.168.1.1) for websites. DNS converts this domain names friendly to IP addresses that need to connect to computers.
This is not the first time to curve finance, a Decentralized Finance (DEFI) The protocol, has suffered Such attack. Back in August 2022, Curve Finance faced an attack with similar tactics. Attacks are to clone the curve finance website and interfere with DNS settings to send users to a double version of the website. Users who have tried the use of the platform end up losing their money to the attacks. The project uses the same register, “iwantmyname,” at the time of the previous attack.
How Attacks Attach DNS to Crypto
When a user types a web address, their device is inquiring to a DNS server to obtain the corresponding IP address and connect to the correct website. In the DNS ‘home, scams interfere with this process by changing how DNS queries are resolved, users of rerouting at malicious sites without their knowledge.
The scams implemented DNS’s hosting in many ways. Attacks can exploit weaknesses to DNS servers, compromise routers, or get access to domain register accounts. The goal is to change DNS notes so that a user trying to visit a legitimate site is redirected to a fake, lookalike page containing a purse draining code.
DNS -Jacking Types include:
- Local DNS hijack: The malware on a user’s device changes DNS settings, which reinters traffic locally.
- Router’s hijack: Attacks compromise routers to home or office to change DNS for all connected devices.
- Man-in-the-Middle Attack: Involves DNS queries between user and server, changing responses to fast.
- Registrar-level hijack: Attacks get accessible to a domain registrar account and change DNS official notes, affecting all users around the world.
Do you know? During the curve finance DNS attack in 2023, users access the true domain that accidentally signed malicious transactions. The rear of the rear is not changing, but millions are lost by a spoofed front end.
How did the DNS -DNS work in case of curve finance
When attackers compromise a website with a DNS hovering, they can reroute traffic on a malicious website without the user’s knowledge.
There are many ways that the DNS is going to happen. Attacks can infect a user’s device with malware that changes local DNS settings, or they may gain control of a router and change DNS adjustment. They can also target DNS servers or domain registers themselves. In such cases, they change DNS notes to the source, affecting all users who are trying to access the site.
In the case of curve finance, the attacks entered the “iWantmyname” domain register systems and changed the DNS delegation of the “curve.fi” domain to redeem traffic to their own DNS server.
A domain register is a company authorized to manage the reservation and registration of Internet domain names. It allows individuals or organizations to claim the owner of a domain and linked it to web services such as the hasty and email.
The accurate method of breach is still under investigation. By May 22, 2025, there was no evidence of unauthorized accessing or compromised credentials.
Do you know? DNS -Jacking Attacks often succeeded by compromising the domain register accounts by phishing or poor security. Many Web3 projects still have domains domains with centralized providers such as Godaddy or namecheap.
How Curve Finance Responds to Hack
As the register responds slowly, the curve team has taken steps to deal with the situation. It successfully reinforces the “.FI” domain on neutral nameservers, thus taking the website while efforts to recover control.
To ensure safe access to Frontend and Secure Fund Management, the curve team quickly launched a safe alternative to “curve.finance,” which serves as a temporary curve finance interface interface.
When exploiting the exploitation at 21:20 UTC, the following actions were taken:
- Users are immediately -Notify by official channels
- Required takedown of compromised domain
- Initiated with mitigation and domain processes
- Cooperating with security partners and the register to coordinate a response.
Compromise of the domain notwithstanding, the curve protocol and its Smart contracts remained safe and full operation. During the interruption of the front end, the curve processed more than $ 400 million in volume of onchain. No user data is at risk, as the front end of the curve does not store any user information.
Throughout the compromise, the curve team is always available through its discord server, where users can raise issues with them.
After implementing immediate control steps, the curve team is now taking additional steps to prepare for the future.
- Analysis and enhancement of register -level security, incorporating stronger protection and exploration of alternative registers
- Investigation of Decentralized Options on-Dulo to eliminate hope in prone to web infrastructure
- Working with the wider the Defi and Ethereum Name Service (Ens) communities to promote for the support of the native browser for “.eth” domains.
Do you know? Unlike the exploits of the wise contract, DNS hijacks do not leave without a trace onchain at first, making it difficult for users to realize that they are already -tricking until the funds are gone. This is a stealthy form of crypto theft.
How Crypto projects deal with DNS ‘weakness
The attack on the curve finance is about because it exceeds the decentralized security mechanism at the protocol level. Curve’s backend, which means that onchain’s wise contracts and logic, have remained injured, but users have lost funds because they are deceived at the interface level. This incident emphasizes a significant weakness in Defi.
While backend can be decentralized and distrustful, the front end is still dependent on the centralized web2 infrastructure such as DNS, hosting and domain registers. Attacks can take advantage of choke centralized points to break confidence and steal funds.
The curve attack serves as a wake-up call for the crypto industry to explore decentralized web infrastructure, such as Interplanetary File System (IPFS) and Ethereum Name Service (Ens), to reduce hope for weak centralized services.
To meet the gap between decentralized backends and centralized frontends, crypto projects must adopt a multi-layered approach.
Here are different ways that crypto projects can deal with this space:
- Squeeze the hope of traditional DNS: They can reduce the hope of traditional DN by incorporating decentralized alternatives of DNS such as Ens or Handshakewhich reduces the risk of register level hijacks.
- Use decentralized file storage systems: Rotating frontends to Decentralized file storage Systems such as IPFS or Arweave add another layer of protection.
- Implement Domain Name System Security Extensions (DNSSEC): Teams must implement DNSsec to verify the integrity of DNS notes and prevent unauthorized changes.
- Secure Registrar Accounts: Register accounts must be secured with a strong validation procedure, including Multifactor Authentication (MFA) and domain locking.
- Train users: Teaching users to verify the authenticity of the site, such as bookmarking URLs or reviewing Ens notes, can reduce phishing success rates.
Bringing the confidence gap between decentralized protocols and centralized interfaces is essential for maintaining the user’s security and confidence on Defi platforms.
