Prime decentralized change Curve Finance has warned customers to keep away from its curve.fi web site as a result of an ongoing DNS hijacking assault, which redirects customers to a malicious pockets drainer.
Final week, Curve’s X account was hacked to advertise a phishing web site, one other widespread rip-off going through crypto customers.
Roughly two hours after the preliminary alert, Curve confirmed that curve.fi “points to a malicious site which can drain your wallet!” Co-founder Michael Egorov steered customers in the direction of the platform’s different front-end, curve.finance, within the meantime.
A later replace confirmed that “the protocol itself remains fully operational and secure.”
Whereas all sensible contracts are protected, the area title factors to a malicious website which may drain your pockets!
We’re investigating and dealing on recovering the entry.
No signal of a compromise on our aspect https://t.co/YUmwtwt5PH
— Curve Finance (@CurveFinance) Could 12, 2025
In response to decentralized finance (DeFi) dashboard DeFiLlama, Curve is the sector’s fourth-largest change, energetic on 9 blockchains and with a complete worth locked (TVL) of round $2 billion.
Entrance-end assaults are simply certainly one of a number of risks going through DeFi customers. Hackers don’t straight goal a challenge’s underlying liquidity swimming pools, oracles or different sensible contracts.
As a substitute, they purpose to trick particular person customers who imagine they’re interacting with a reputable web site into signing malicious transactions.
A lot of DeFi’s most well-known initiatives have been focused by this assault vector previously, together with 2021’s “approvals harvesting” heist of Badger DAO customers, which netted attackers $120 million, together with 896 bitcoins (BTC) — price round $40 million on the time — from now-defunct Celsius.
Actually, this isn’t even Curve’s first tangle with front-end hijacking. In 2022, the curve.fi website was additionally spoofed, resulting in round $570,000 of losses from unlucky customers.
The DNS registrar named-and-shamed within the wake of the primary incident, iwantmyname, was once more known as out publicly by Curve, which says its “response time is totally unsacceptable [sic].”
The choice to stay with the registrar seems to be all the way down to limitations associated to the .fi area, and that Curve intends to section it out.
Curve balls
Curve has confronted loads of trials and tribulations since its launch in 2020’s so-called “DeFi Summer.” Even the Curve DAO itself was yeeted into existence by nameless person 0xc4ad who claimed to have discovered the governance contracts “ready to rock” and determined to deploy them themself.
Final yr, Egorov’s closely leveraged CRV positions had been hit with a liquidation cascade, sending the token’s worth plummeting.
The positions had been in limbo ever for the reason that hack, which hit a few of the change’s liquidity swimming pools for round $70 million in the summertime of 2023.
