Curve.fi Domain Suspected of Being Hijacked, Please Suspend Interaction!
The domain has currently been redirected to a malicious page, and connecting your wallet may result in asset theft.
(Background: 7 Ways to Earn Bitcoin, Plus New Explorations by the Founder of Curve)
(Additional Background: ZKSync Hacked “Attackers Minted 100 Million zk Tokens”! Hacker’s Actions Prompt Emergency Delisting by Exchanges like Bithumb)
Warning!
The stablecoin exchange protocol Curve Finance has once again issued a warning regarding a potential hack, suspected to be a DNS (Domain Name System) hijacking that directs users to malicious websites. On-chain security firm Blockaid has also issued a warning, indicating this as a “potential frontend attack,” advising users to refrain from interacting with the Curve website or signing any transactions to avoid asset loss.
DNS Directing to Incorrect IP Poses Risk to Users
On the 12th, the Curve team issued a warning on X, stating, “curve.fi DNS may have been hijacked, please do not interact!” Subsequent clarification noted that the website currently “points to an incorrect IP,” meaning that users could be redirected to a hacker-controlled malicious page even if they enter the official URL.
Although Curve stated that all smart contracts remain safe and that passwords and two-factor authentication mechanisms have not been affected, due to vulnerabilities at the DNS level, users risk being redirected to counterfeit websites and having their wallet assets stolen as soon as they interact with the page. The team has reached out to the domain registrar to investigate the cause and is attempting to regain control.
While all smart contracts are safe, the domain name points to a malicious site which can drain your wallet! We are investigating and working on recovering the access. No sign of a compromise on our side https://t.co/YUmwtwt5PH
Blockaid Detects Anomalous Requests from Curve.fi
The on-chain security firm Blockaid has also detected unusual requests from curve.fi, initially determining it to be a frontend attack. Hackers may exploit the website’s buttons, forms, or signing interfaces to steal user information. Once malicious transactions are signed, assets may be stolen.
Blockaid calls for:
“If you are connected, please avoid signing transactions and do not interact with the dApp. We are working closely with affected partners and will continue to provide updates.”
URGENT:
We have detected a potential frontend attack targeting @CurveFinance. If you’re connected, please refrain from signing transactions and avoid interactions with the dApp until the issue is resolved. We’re working closely with affected partners. More updates soon. https://t.co/YUmwtwt5PH
Second Attack in a Week, Curve’s Security Mechanism Under Test Again
This marks the second attack on Curve Finance this week. On May 6, its official X account was hacked, but at that time, the team emphasized that it was limited to the community account level and did not affect other platforms or user funds. However, experiencing two attacks within a few days has led the community to question Curve’s resilience in protecting critical infrastructure.
It is worth noting that Curve experienced a similar incident in August 2022, when hackers used counterfeit websites to steal user funds, resulting in losses. Although an incident report was released afterward, and some security mechanisms were strengthened, the recurrence of such incidents indicates that frontend attacks remain a significant vulnerability for DeFi protocols. Users are reminded to maintain high vigilance not only for contract audits but also for the website interface.
Yesterday, the official @CurveFinanceX account was compromised. As you already know, access has been fully restored. To clarify: the incident was limited strictly to the X account. No other Curve accounts were affected. No security issues were found on our side, no user funds… https://t.co/8bci75uZGr
