Curve Finance warns users of DNS hijack in second cyber attack this month

Decentralized finance protocol Curve Finance has once again been breached, marking the second cyber attack this month.

According to Curve Finance, hackers hijacked its domain name system (DNS), sending users to a malicious website.

Curve Finance argued that the smart contracts were unaffected

In an X post, Curve Finance warned users not to engage with its platform, saying, “The “curve.fi DNS might be hijacked. Don’t interact!” 

Later, in response to another X user’s query on whether it was a hack or hijack, the DeFi protocol explained that their website directs users to the wrong IP, a malicious site that could drain users’ wallets.

However, the firm later confirmed that their smart contracts and password were safe. The Curve team also stated that the two-factor authentication had already been set up, and a query had been sent to the registrar.

While they are still investigating the attack and working to regain control of their DNS, they claimed there saw no compromise on their side.

Blockaid, an onchain security platform, also noticed unusual activity and alerted users to avoid the Curve website.

It warned of a possible front-end attack on the website and asked users to cease all interactions with the application and not to sign any transactions until an official all-clear sign is given.

Multiple DeFi projects are said to have been impacted by the incident, including Convex Finance and Resupply — which lean on Curve’s data feeds. The platforms were plagued with service pitfalls and operational disruptions after the event.

Both teams have assured users that their central infrastructures have been safe so far; however, they also recognized that services depending on Curve will continue to be affected until the domain is completely recovered.

DNS hijacking is a cyberattack where attackers manipulate the Domain Name System to redirect users to malicious sites. In this case, attackers could trick users into interacting with fraudulent versions of Curve’s platform.

Security experts and users have flagged this as a strong reminder of the risks associated with DeFi frontends. Unlike decentralized smart contracts, web frontends remain vulnerable to traditional attacks such as DNS hijacking.

Projects linked to Curve, including Convex, have emphasized that while their backends are unaffected, users should avoid signing transactions or interacting with dApps tied to Curve during this period.

Curve Finance explained it is working with affected partners to mitigate the breach. A probe is currently ongoing, and more information will be released soon.

This situation highlights the need for DeFi protocols to focus more heavily on front-end security. Recent DeFi hacks reflect that the front end remains an exposed vector despite decentralized architectures.

Curve Finance has been a target of hacker attacks

Curve Finance’s official X account was also hacked last week, on May 5. Fortunately, the breach was quickly controlled, with the team verifying that only their social media handle was compromised. No user assets were lost, and an investigation continues.

The incident was one in a series of similar attacks. Earlier this month, on May 2, Tron DAO’s X account was compromised as well, and soon after, Her Majesty’s Member of Parliament for Manchester Central, Lucy Powell’s account was also taken over to advertise a scam token dubbed “House of Commons Coin (HOC).”

Curve Finance has not been without its run-ins with hackers, with one other incident in particular in 2022. At the time, it was revealed that attackers had breached the firm’s website and even taken control of its DNS server, which directed innocent clients (and their transactions) to dodgy endpoints.

Per blockchain sleuth ZachXBT, the perpetrators made off with $570k worth of ETH, which was processed through the FixedFloat exchange before being laundered quickly.

Cryptopolitan Academy: Coming Soon - A New Way to Earn Passive Income with DeFi in 2025. Learn More