Understanding the Curve Finance DNS hijacking
On May 12, 2025, at 20:55 UTC, hackers hijacked the “.fi” domain name system (DNS) of Curve Finance after managing to access the registrar. They began sending its users to a malicious website, attempting to drain their wallets. This was the second attack on Curve Finance’s infrastructure in a week.
Users were directed to a website that was a non-functional decoy, designed only to trick users into providing wallet signatures. The hack hadn’t breached the protocol’s smart contracts and was limited to the DNS layer.
The DNS is a critical component of the internet that functions like a phonebook. It allows you to use simple, memorable domain names (such as facebook.com) instead of complex numerical IP addresses (like 192.168.1.1) for websites. DNS converts these user-friendly domain names into the IP addresses computers require to connect.
This is not the first time Curve Finance, a decentralized finance (DeFi) protocol, has suffered such an attack. Back in August 2022, Curve Finance faced an attack with similar tactics. The attackers had cloned the Curve Finance website and interfered with its DNS settings to send users to a duplicate version of the website. Users who tried using the platform ended up losing their money to the attackers. The project was using the same registrar, “iwantmyname,” at the time of the previous attack.
How attackers execute DNS hijacking in crypto
When a user types a web address, their device queries a DNS server to retrieve the corresponding IP address and connect to the correct website. In DNS hijacking, fraudsters interfere with this process by altering how DNS queries are resolved, rerouting users to malicious sites without their knowledge.
Fraudsters execute DNS hijacking in several ways. Attackers might exploit vulnerabilities in DNS servers, compromise routers, or gain access to domain registrar accounts. The objective is to change the DNS records so that a user trying to visit a legitimate site is redirected to a fake, lookalike page containing wallet-draining code.
Types of DNS hijacking include:
- Local DNS hijack: Malware on a user’s device changes DNS settings, redirecting traffic locally.
- Router hijack: Attackers compromise home or office routers to alter DNS for all connected devices.
- Man-in-the-middle attack: Intercepts DNS queries between user and server, altering responses on the fly.
- Registrar-level hijack: Attackers gain access to a domain registrar account and modify official DNS records, affecting all users globally.
Did you know? During the Curve Finance DNS attack in 2023, users accessing the real domain unknowingly signed malicious transactions. The back end was untouched, but millions were lost through a spoofed front end.
How DNS hijacking worked in the case of Curve Finance
When attackers compromise a website with DNS hijacking, they can reroute traffic to a malicious website without the user’s knowledge.
There are several ways DNS hijacking can occur. Attackers might infect a user’s device with malware that alters local DNS settings, or they may gain control of a router and change its DNS configuration. They may also target DNS servers or domain registrars themselves. In such cases, they modify the DNS records at the source, affecting all users trying to access the site.
In the case of Curve Finance, the attackers infiltrated the systems of the domain registrar “iwantmyname” and altered the DNS delegation of the “curve.fi” domain to redirect traffic to their own DNS server.
A domain registrar is a company authorized to manage the reservation and registration of internet domain names. It allows individuals or organizations to claim ownership of a domain and link it to web services like hosting and email.
The precise method of the breach is still under investigation. By May 22, 2025, no evidence of unauthorized access or compromised credentials was found.
Did you know? DNS hijacking attacks often succeed by compromising domain registrar accounts through phishing or poor security. Many Web3 projects still host domains with centralized providers like GoDaddy or Namecheap.
How Curve Finance responded to the hack
While the registrar was slow to respond, the Curve team took measures to deal with the situation. It successfully redirected the “.fi” domain to neutral nameservers, thus taking the website offline while efforts to regain control continued.
To ensure safe access to the frontend and secure fund management, the Curve team quickly launched a secure alternative at “curve.finance,” now serving as the official Curve Finance interface temporarily.
Upon discovering the exploit at 21:20 UTC, the following actions were taken:
- Users were immediately notified through official channels
- Requested the takedown of the compromised domain
- Initiated mitigation and domain recovery processes
- Collaborated with security partners and the registrar to coordinate a response.
Compromise of the domain notwithstanding, the Curve protocol and its smart contracts remained secure and fully operational. During the disruption of the front end, Curve processed over $400 million in onchain volume. No user data was at risk, as Curve’s front end does not store any user information.
Throughout the compromise, the Curve team was always available through its Discord server, where users could raise issues with them.
After implementing immediate damage control measures, the Curve team is now taking additional steps to prepare for the future.
- Assessing and enhancing registrar-level security, incorporating stronger protections and exploring alternative registrars
- Investigating decentralized front-end options to eliminate dependence on susceptible web infrastructure
- Partnering with the broader DeFi and Ethereum Name Service (ENS) communities to advocate for native browser support for “.eth” domains.
Did you know? Unlike smart contract exploits, DNS hijacks leave no trace onchain initially, making it hard for users to realize they have been tricked until funds are gone. It is a stealthy form of crypto theft.
How crypto projects can deal with DNS hijacking vulnerability
The Curve Finance attack is concerning because it bypassed the decentralized security mechanisms at the protocol level. Curve’s backend, meaning its smart contracts and onchain logic, remained unharmed, yet users lost funds because they were deceived at the interface level. This incident underscores a significant vulnerability in DeFi.
While the backend may be decentralized and trustless, the front end still depends on centralized Web2 infrastructure like DNS, hosting and domain registrars. Attackers can exploit these centralized choke points to undermine trust and steal funds.
The Curve attack serves as a wake-up call for the crypto industry to explore decentralized web infrastructure, such as InterPlanetary File System (IPFS) and Ethereum Name Service (ENS), to reduce reliance on vulnerable centralized services.
To address the gap between decentralized backends and centralized frontends, crypto projects must adopt a multi-layered approach.
Here are various ways crypto projects can deal with this gap:
- Minimize reliance on traditional DNS: They can minimize reliance on traditional DNS by integrating decentralized alternatives of DNS like the ENS or Handshake, which reduce the risk of registrar-level hijacks.
- Use decentralized file storage systems: Hosting frontends on decentralized file storage systems such as IPFS or Arweave adds another layer of protection.
- Implement domain name system security extensions (DNSSEC): Teams should implement DNSSEC to verify the integrity of DNS records and prevent unauthorized changes.
- Secure registrar accounts: Registrar accounts must be secured with strong authentication methods, including multifactor authentication (MFA) and domain locking.
- Train users: Educating users to verify site authenticity, such as bookmarking URLs or checking ENS records, can reduce phishing success rates.
Bridging the trust gap between decentralized protocols and centralized interfaces is essential for maintaining security and user confidence in DeFi platforms.
