In brief
- Curve Finance’s front-end website suffered a DNS compromise where attackers redirected users to a malicious site.
- The attack involved manipulating DNS records to point to a fraudulent site mimicking Curve’s interface with malicious scripts designed to trick users into approving token transfers.
- This isn’t Curve Finance’s first security incident. They experienced a similar DNS hijack in 2022 resulting in $570,000 in losses, and faced another exploit in 2023 involving Vyper programming vulnerabilities with estimated losses of $24 million.
Decentralized protocol Curve Finance confirmed Tuesday that its front-end website was compromised, with attackers redirecting users to a fake site.
“The DNS incident involving Curve Finance reflects a broader issue across the industry,” the project told Decrypt. “In recent weeks, there has been a noticeable increase in attacks targeting the infrastructure of various crypto projects.”
The exploit redirected traffic to a malicious IP, the protocol said on social media. “User funds are safe. Curve smart contracts remain secure,” it added.
The incident was first discovered on Monday afternoon, after which Curve Finance issued a preliminary response.
While all smart contracts are safe, the domain name points to a malicious site which can drain your wallet!
We are investigating and working on recovering the access.
No sign of a compromise on our side
— Curve Finance (@CurveFinance) May 12, 2025
Curve Finance later said the breach was “strictly limited to the DNS layer” and did not compromise its core infrastructure.
Its security team promptly isolated the issue, initiated an investigation, and engaged with their domain registrar and security partners to address the situation, the project said.
Security measures were in place “long before the incident,” the protocol added.
What happened?
According to Curve Finance, attackers manipulated the DNS records to point to an IP address under their control. A DNS record connects a domain name to details like an IP address, helping direct internet traffic.
The fraudulent site, which mirrored Curve’s interface, reportedly contained malicious scripts aimed at tricking users into approving token transfers to the attackers.
“DNS exploits are a form of social engineering at the infrastructure level. Attackers compromise the domain name system,” Meir Dolev, co-founder and CTO of blockchain security firm Cyvers, told Decrypt.
If a site’s mapping changes due to stolen credentials or a registrar’s vulnerability, users may be redirected to harmful servers without realizing it.
“These cloned sites can prompt users to connect wallets and approve transactions that drain funds,” Dolev explained. “It’s particularly dangerous because the average user can’t easily tell the difference—they still see the correct URL.”
The attack doesn’t breach the protocol’s blockchain, but rather “exploits the trust layer” between the user and a decentralized app’s interface.
“So long as users interact with Curve directly via verified contract addresses, their funds are likely unaffected,” Dolev noted.
Hacking history
This isn’t the first time Curve has been hit.
Back in 2022, Curve Finance suffered a DNS hijack where attackers redirected users from its legitimate domain to a malicious site, resulting in approximately $570,000 in losses.
Following the attack, Curve advised users to revoke any suspicious approvals and proposed migrating to the Ethereum Name Service (ENS) to mitigate future vulnerabilities.
A year later, Curve Finance faced another exploit involving some Vyper programming language versions and the CRV/ETH pool.
The loss across affected DeFi projects was estimated at $24 million at the time.
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
