Understanding the Curve Finance DNS hijacking
On May 12, 2025, at 20:55 UTC, hackers hijacked the “.fi” domain name system (DNS) of Curve Finance after managing to access the registrar. They began sending its users to a malicious website, attempting to drain their wallets. This was the second attack on Curve Finance’s infrastructure in a week.
Users were directed to a website that was a non-functional decoy, designed only to trick users into providing wallet signatures. The hack hadn’t breached the protocol’s smart contracts and was limited to the DNS layer.
The DNS is a critical component of the internet that functions like a phonebook. It allows you to use simple, memorable domain names (such as facebook.com) instead of complex numerical IP addresses (like 192.168.1.1) for websites. DNS converts these user-friendly domain names into the IP addresses computers require to connect.
This is not the first time Curve Finance, a decentralized finance (DeFi) protocol, has suffered such an attack. Back in August 2022, Curve Finance faced an attack with similar tactics. The attackers had cloned the Curve Finance website and interfered with its DNS settings to send users to a duplicate version of the website. Users who tried using the platform ended up losing their money to the attackers. The project was using the same registrar, “iwantmyname,” at the time of the previous attack.
How attackers execute DNS hijacking in crypto
When a user types a web address, their device queries a DNS server to retrieve the corresponding IP address and connect to the correct website. In DNS hijacking, fraudsters interfere with this process by altering how DNS queries are resolved, rerouting users to malicious sites without their knowledge.
Fraudsters execute DNS hijacking in several ways. Attackers might exploit vulnerabilities in DNS servers, compromise routers, or gain access to domain registrar accounts. The objective is to change the DNS records so that a user trying to visit a legitimate site is redirected to a fake, lookalike page containing wallet-draining code.
Types of DNS hijacking include:
- Local DNS hijack: Malware on a user’s device changes DNS settings, redirecting traffic locally.
- Router hijack: Attackers compromise home or office routers to alter DNS for all connected devices.
- Man-in-the-middle attack: Intercepts DNS queries between user and server, altering responses on the fly.
- Registrar-level hijack: Attackers gain access to a domain registrar account and modify official DNS records, affecting all users globally.
Did you know? During the Curve Finance DNS attack in 2023, users accessing the real domain unknowingly signed malicious transactions. The back end was untouched, but millions were lost through a spoofed front end.
How DNS hijacking worked in the case of Curve Finance
When attackers compromise a website with DNS hijacking, they can reroute traffic to a malicious website without the user’s knowledge.
There are several ways DNS hijacking can occur. Attackers might infect a user’s device with malware that alters local DNS settings, or they may gain control of a router and change its DNS configuration. They may also target DNS servers or domain registrars themselves. In such cases, they modify the DNS records at the source, affecting all users trying to access the site.
In the case of Curve Finance, the attackers infiltrated the systems of the domain registrar “iwantmyname” and altered the DNS delegation of the “curve.fi” domain to redirect traffic to their own DNS server.
A domain registrar is a company authorized to manage the reservation and registration of internet domain names. It allows individuals or organizations to claim ownership of a domain and link it to web services like hosting and email.
The precise method of the breach is still under investigation. By May 22, 2025, no evidence of unauthorized access or compromised credentials was found.
Did you know? DNS hijacking attacks often succeed by compromising domain registrar accounts through phishing or poor security. Many Web3 projects still host domains with centralized providers like GoDaddy or Namecheap.
How Curve Finance responded to the hack
While the registrar was slow to respond, the Curve team took measures to deal with the situation. It successfully redirected the “.fi” domain to neutral nameservers, thus taking the website offline while efforts to regain control continued.
To ensure safe access to the frontend and secure fund management, the Curve team quickly launched a secure alternative at “curve.finance,” now serving as the official Curve Finance interface temporarily.
Upon discovering…
cointelegraph.com