When DNS Hijacking Strikes: A Tale of Curve Finance’s Misadventures

Understanding the Curve Finance DNS Hijacking

On the twelfth day of May in the year of our Lord 2025, at precisely twenty-five minutes past eight in the evening, a most nefarious band of hackers did seize the “.fi” domain name system of Curve Finance, having cunningly infiltrated the registrar. With great audacity, they directed unsuspecting users to a most malicious website, intent on draining their wallets of their hard-earned funds. Alas, this was but the second such attack upon Curve Finance’s infrastructure within a mere week!

Users found themselves unwittingly led to a non-functional decoy, a mere shadow of the true site, designed solely to ensnare them into providing wallet signatures. Fear not, dear reader, for the protocol’s smart contracts remained unscathed, and the calamity was confined to the DNS layer.

The DNS, a most critical component of the internet, serves as a veritable phonebook, allowing one to employ simple, memorable domain names (such as facebook.com) rather than the complex numerical IP addresses (like 192.168.1.1) that computers so adore. It is the DNS that transforms these user-friendly names into the IP addresses required for connection.

It is worth noting that this is not the first occasion upon which Curve Finance, a decentralized finance (DeFi) protocol, has suffered such an indignity. Back in August of 2022, Curve Finance was similarly beset by attackers who cloned their website and meddled with its DNS settings, leading users to a duplicitous version of the site. Those who ventured forth to use the platform found themselves bereft of their funds, as the project was then under the same registrar, “iwantmyname.”

How Attackers Execute DNS Hijacking in Crypto

When a user, in their innocent curiosity, types a web address, their device dutifully queries a DNS server to retrieve the corresponding IP address and connect to the correct website. In the dastardly act of DNS hijacking, fraudsters interfere with this process, altering how DNS queries are resolved, and rerouting users to malicious sites unbeknownst to them.

Fraudsters employ various methods to execute their nefarious plans. They might exploit vulnerabilities in DNS servers, compromise routers, or gain access to domain registrar accounts. Their objective is to alter the DNS records, redirecting a user attempting to visit a legitimate site to a fake, lookalike page replete with wallet-draining code.

Types of DNS hijacking include:

• Local DNS hijack: Malware on a user’s device alters DNS settings, redirecting traffic locally.
• Router hijack: Attackers compromise home or office routers to change DNS for all connected devices.

Attackers gain access to a domain registrar account and modify official DNS records, affecting all users globally.

Did you know? During the Curve Finance DNS attack in 2023, users accessing the real domain unwittingly signed malicious transactions. The back end remained untouched, yet millions were lost through a spoofed front end. Quite the scandal, I daresay! 😱

How DNS Hijacking Worked in the Case of Curve Finance

When attackers compromise a website through DNS hijacking, they can reroute traffic to a malicious website without the user’s knowledge. A most dastardly deed!

There are several methods by which DNS hijacking may occur. Attackers might infect a user’s device with malware that alters local DNS settings, or they may gain control of a router and change its DNS configuration. They may also target DNS servers or domain registrars themselves, modifying the DNS records at the source, thus affecting all users attempting to access the site.

In the case of Curve Finance, the attackers infiltrated the systems of the domain registrar “iwantmyname” and altered the DNS delegation of the “curve.fi” domain to redirect traffic to their own DNS server. A most audacious maneuver!

A domain registrar is a company authorized to manage the reservation and registration of internet domain names, allowing individuals or organizations to claim ownership of a domain and link it to web services such as hosting and email.

The precise method of the breach remains under investigation. As of May 22, 2025, no evidence of unauthorized access or compromised credentials had been discovered. How very curious!

Did you know? DNS hijacking attacks often succeed by compromising domain registrar accounts through phishing or poor security. Many Web3 projects still host domains with centralized providers like GoDaddy or Namecheap. A rather precarious position, I must say! 😅

How Curve Finance Responded to the Hack

While the registrar was rather slow to respond, the diligent Curve team took measures to address the situation. They successfully redirected the “.fi” domain to neutral nameservers, thus taking the website offline whilst efforts to regain control continued. A commendable effort indeed!

20 UTC, the following actions were taken:

• Users were immediately notified through official channels.
• A request was made for the takedown of the compromised domain.
• Mitigation and domain recovery processes were initiated.

//s3.cointelegraph.com/storage/uploads/view/9d7a1184287c21d5b82db74702ce6443.jpg”/>

After implementing immediate damage control measures, the Curve team is now taking additional steps to prepare for the future.

Hosting frontends on decentralized file storage systems such as IPFS or Arweave adds another layer of protection.
• Implement domain name system security extensions (DNSSEC): Teams should implement DNSSEC to verify the integrity of DNS records and prevent unauthorized changes.
• Secure registrar accounts: Registrar accounts must be secured with strong authentication methods, including multifactor authentication (MFA) and domain locking.
• Train users: Educating users to verify site authenticity, such as bookmarking URLs or checking ENS records, can reduce phishing success rates. A most prudent measure!

Bridging the trust gap between decentralized protocols and centralized interfaces is essential for maintaining security and user confidence in DeFi platforms. A task most noble!