Curve Finance has warned users not to interact with its website after a domain name system hijack redirected users to a malicious clone designed to drain wallets.
On May 12, the DeFi platform issued a warning on X, alerting users that “curve.fi DNS might be hijacked” and advising against any interaction.
The incident involves the DNS of Curve’s official website being rerouted to a malicious front end. In a frontend hijack, attackers compromise the user-facing layer of a website, including interface elements like buttons, forms, and scripts, to intercept user inputs or trick them into authorising malicious transactions.
Visiting the compromised domain could lead users to connect wallets and unknowingly give attackers access to their funds.
In a follow-up update, Curve Finance clarified that while Curve’s smart contracts remain secure, the domain now “points to the wrong IP.”
According to the Curve team, the platform’s two-factor authentication remains secure, and a support request has been submitted to the domain registrar to recover control of the DNS.
As of the last update, the team said it is still investigating the incident and has urged users to refrain from interacting with the website until the correct domain settings are restored.
“The hackers barely even tried,” said David Zhang, co-founder of Web3 fiat onramp Stably. In an X post, Zhang pointed out that the hijack involved little more than a drainer link embedded in a clickable screenshot.
For Curve, this was the second time its DNS had been hijacked. In August 2022, attackers exploited a similar vulnerability, but at the time, over $570,000 worth of crypto assets were siphoned before the issue was contained.
Binance froze over $450,000 after the attacker attempted to move assets through its exchange, while Fixed Float recovered around 112 ETH. Curve later changed its DNS provider and advised users to revoke approvals linked to the compromised domain.
The incident also appeared to weigh on market sentiment, with CRV, the native token of Curve DAO, down over 7% in the past 24 hours when writing.
The latest DNS hijack comes just days after Curve Finance’s X account was compromised. On May 5, a hacker briefly took control of the platform’s social media handle, using the account to post phishing links. The incident was quickly contained, and Curve later clarified that no user funds were affected.
“No security issues were found on our side, no user funds were impacted, no victims of phishing links which the hacker posted. All Curve systems remain fully operational,” Curve Finance wrote in a May 6 X post.
Similar attacks have targeted X accounts of several other crypto projects and public figures in recent weeks, often to spread phishing links or promote scam tokens.
