Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124

Curve Finance, a decentralized finance (DeFi) protocol, has suffered a second DNS hijacking attack in a week, redirecting users to a malicious website. The attack, confirmed by Curve Finance on May 12th via X (formerly Twitter), warns users not to interact with the website (curve.fi) as it points to the wrong IP address. This follows a similar incident in August 2022, where attackers cloned the website and rerouted the DNS server to a fraudulent page, resulting in user fund losses.
Curve Finance assures users that its smart contracts remain secure and that two-factor authentication is active. The team is actively investigating the issue and working to regain access, attributing the problem to the hijacked domain name. They’ve contacted their registrar and confirmed the password’s security.
Onchain security firm Blockaid has also flagged unusual activity, warning users to avoid interacting with the decentralized application (DApp) until the situation is resolved. Blockaid refers to this as a potential frontend attack, where hackers target user-interactive elements to steal data. This mirrors the August 2022 incident where a cloned website was used to drain user funds.
This latest attack follows a May 5th incident where a hacker briefly took control of Curve Finance’s official X account. Curve Finance clarified that this was isolated to the X account, with no other accounts affected, no security breaches discovered, and no user funds impacted. This highlights a broader trend of high-profile X account hijackings, including attacks on the Tron DAO account and UK Parliament member Lucy Powell’s account.
The current situation underscores the ongoing vulnerabilities in the DeFi space and the importance of heightened security measures for both platforms and users. The persistence of these attacks highlights the need for robust security protocols and vigilance against phishing and other malicious activities. The investigation into both the DNS hijacking and the previous X account compromise is ongoing.