Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124

Curve Finance’s DNS Hijacking: A Critical Vulnerability in DeFi
On May 12, 2025, hackers exploited a critical vulnerability in Curve Finance’s infrastructure, hijacking its “.fi” domain name system (DNS) through compromised registrar access. This rerouted users to a malicious website designed to steal funds, marking the second such attack in a week. Unlike previous attacks targeting smart contracts, this DNS hijacking only affected the front-end interface, leaving the protocol’s backend unharmed.
DNS hijacking manipulates the process of resolving domain names to IP addresses, redirecting users to fraudulent sites. Attackers employ various methods, including exploiting DNS server vulnerabilities, compromising routers, or gaining access to domain registrar accounts—as occurred in Curve Finance’s case. This registrar-level hijack, affecting all users globally, highlights the reliance of decentralized finance (DeFi) protocols on centralized infrastructure. While Curve’s smart contracts remained secure, the compromised front-end facilitated the theft of user funds.
Curve Finance’s rapid response involved redirecting the “.fi” domain to neutral nameservers, temporarily taking the website offline. A secure alternative, “curve.finance,” was launched, ensuring continued functionality. Despite the disruption, over $400 million in on-chain volume was processed, demonstrating the resilience of the protocol itself. No user data was compromised as the front-end doesn’t store user information. The team actively engaged with users via Discord, addressing concerns and providing support.
This incident underscores the significant vulnerability in DeFi’s reliance on centralized services. While backends may be decentralized, front-ends remain susceptible. To mitigate this risk, the crypto industry must embrace decentralized alternatives. Projects should minimize reliance on traditional DNS by integrating solutions like ENS or Handshake, utilize decentralized file storage (IPFS, Arweave), and implement DNSSEC to verify record integrity. Robust registrar account security, including MFA and domain locking, is crucial. Educating users to verify site authenticity through methods like bookmarking or ENS checks further enhances security. Bridging the gap between decentralized protocols and centralized interfaces is vital for maintaining user trust and confidence in the DeFi ecosystem.