Understanding the Curve Finance DNS Hijacking
On May 12, 2025, hackers hijacked the “.fi” domain name system (DNS) of Curve Finance after managing to access the registrar. They began sending users to a malicious website in an attempt to drain their wallets. This was the second attack on Curve Finance’s infrastructure within just a week.
Users were redirected to a non-functional decoy site designed to trick them into providing wallet signatures. Notably, the attack did not breach the protocol’s smart contracts, limiting the damage to the DNS layer.
The DNS serves as a critical component of the internet, functioning like a digital phonebook that allows users to access websites using easy-to-remember domain names instead of numeric IP addresses.
This was not the first time Curve Finance, a significant player in the decentralized finance (DeFi) sector, encountered such an incident. A previous attack in August 2022 involved similar tactics, where attackers cloned the Curve Finance website and manipulated its DNS settings to direct users to a fraudulent version, resulting in considerable losses for unsuspecting users.
How Attackers Execute DNS Hijacking in Crypto
DNS hijacking occurs when fraudsters interfere with the DNS query process, redirecting users to malicious sites without their knowledge by altering DNS responses.
- Local DNS Hijack: Malware on a user’s device changes DNS settings to redirect traffic locally.
- Router Hijack: Compromised routers alter DNS settings for all devices connected.
- Man-in-the-Middle Attack: Intercepted DNS queries are altered on the fly.
- Registrar-Level Hijack: Attackers gain access to a domain registrar account, modifying official DNS records globally.
During the Curve Finance DNS attack in 2023, users inadvertently signed malicious transactions while accessing the real domain, resulting in millions in losses through a spoofed frontend.
How DNS Hijacking Worked in the Case of Curve Finance
Attackers compromised the Curve Finance website through DNS hijacking, successfully rerouting users to a malicious website.
The attack involved infiltrating the systems of the domain registrar “iwantmyname” and altering the DNS delegation of the “curve.fi” domain to redirect all traffic to the attackers’ DNS server. The specifics of the breach are still under investigation.
Did you know? DNS hijacking attacks often succeed by compromising domain registrar accounts through phishing or poor security practices. Many Web3 projects still rely on centralized providers for domain registration.
How Curve Finance Responded to the Hack
In response to the DNS hijacking, the Curve team took swift measures. They redirected the “.fi” domain to neutral nameservers, effectively taking the site offline as recovery efforts ensued.
To ensure the safety of users, the Curve team launched a secure alternative at “curve.finance,” serving as the official interface temporarily. When they discovered the exploit at 21:20 UTC, the following actions were taken:
- Immediate user notifications through official channels.
- Request for takedown of the compromised domain.
- Initiation of mitigation and domain recovery processes.
- Collaboration with security partners and the registrar for coordinated response efforts.
While the domain faced compromise, the Curve protocol and its smart contracts remained secure and operational, processing over $400 million in on-chain volume during the disruption.
How Crypto Projects Can Deal with DNS Hijacking Vulnerability
The Curve Finance attack highlights the vulnerabilities present in the DeFi landscape, especially relating to the front-end dependency on centralized infrastructure.
While the backend of many DeFi protocols may be decentralized and trustless, the frontend still relies significantly on centralized services, exposing users to risks associated with DNS hijacking. The incident emphasizes the necessity for the crypto industry to explore decentralized web infrastructure, such as InterPlanetary File System (IPFS) and Ethereum Name Service (ENS).
To address vulnerabilities, crypto projects should consider adopting multi-layered strategies, such as:
- Minimizing reliance on traditional DNS by implementing decentralized alternatives like ENS or Handshake.
- Using decentralized file storage systems like IPFS to host frontends.
- Implementing domain name system security extensions (DNSSEC) to ensure DNS record integrity.
- Securing registrar accounts using multifactor authentication and domain locking.
- Training users to verify site authenticity and recognize phishing attempts.
Addressing the gap between decentralized protocols and centralized interfaces is crucial to maintain security and user trust in DeFi platforms.
