Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 102Frontend Hijack

Curve Finance DNS Hijack

Attackers hijacked curve.fi's DNS via its domain registrar and served a wallet-drainer frontend, stealing ~$575K from users while the contracts were untouched.

Date
Victim
Curve Finance
Chain(s)
Ethereum
Status
Partially Recovered

On August 9, 2022, attackers hijacked the DNS records for curve.fi through Curve Finance's domain registrar/nameserver, and served a malicious clone of the Curve frontend containing a wallet drainer. Users who connected and approved transactions on the spoofed site lost approximately $575,000. Curve's smart contracts were never touched — the attack was entirely at the DNS / web-serving layer.

What happened

Curve Finance's on-chain contracts are among the most heavily audited in DeFi. None of that mattered for this incident, because the attack never went near them.

The attacker compromised the DNS configuration for the curve.fi domain — by compromising the domain's nameserver / registrar account. With control of DNS, they pointed curve.fi at a server hosting a pixel-identical copy of the Curve frontend, modified to inject a wallet-drainer contract into the transaction flow.

Users who visited curve.fi during the hijack window:

  1. Saw what appeared to be the normal, correct Curve interface (correct domain in the address bar, correct-looking UI).
  2. Connected their wallet and attempted normal Curve operations.
  3. Were presented with malicious approval/transfer transactions disguised as legitimate Curve interactions.
  4. Signing those transactions drained their wallets to the attacker.

Total stolen: approximately $575K before the community detected the hijack and Curve regained DNS control. A portion was later frozen by Binance, whose compliance team caught some of the laundering flow.

Aftermath

  • Curve regained control of its DNS and warned users via Twitter to revoke approvals and avoid the site until cleared.
  • Binance froze ~$450K of the stolen funds during laundering, partially mitigating the loss.
  • Curve later moved toward more resilient frontend distribution (IPFS-hosted interface, ENS resolution) to reduce single-point-of-failure DNS risk.

Why it matters

The Curve DNS hijack is one of the cleanest demonstrations that a DeFi protocol's attack surface extends far beyond its smart contracts. The full trust chain a user depends on includes:

  • The smart contracts (Curve's were perfectly safe).
  • The frontend code (could be safe, but wasn't being served).
  • The web hosting (could be safe, but DNS pointed elsewhere).
  • The DNS configuration (compromised).
  • The domain registrar account (the actual entry point).

A compromise of any link in that chain is a complete compromise from the user's perspective. The pattern recurs across the catalogue at escalating scale: Curve DNS ($575K, 2022) → BadgerDAO Cloudflare API ($120M, 2021) → Bybit Safe{Wallet} supply chain ($1.46B, 2025). Same structural lesson — the infrastructure serving the contract calls is part of the protocol's trust boundary — at three orders of magnitude difference in loss.

The defensive responses — registrar-lock / DNSSEC, IPFS+ENS frontend distribution, hardware-wallet calldata verification independent of the UI — were all reiterated industry-wide after this and the larger incidents in the same lineage.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-curve-finance-dns-hijack-august-2022
  2. [02]screenrant.comhttps://screenrant.com/stablecoin-exchange-curve-finance-dns-redirect-attack/
  3. [03]rekt.newshttps://rekt.news/curve-finance-rekt

Related filings