Curve Finance, a major player in the decentralized finance (DeFi) space, is once again grappling with a cybersecurity crisis. The team behind the protocol issued an urgent alert on May 12, warning users that its DNS (Domain Name System) has been hijacked, redirecting visitors to a malicious clone of its site.
“curve.fi DNS might be hijacked. Don’t interact!” read the stark message on the platform’s X account (formerly Twitter). The warning came as users attempting to access the Curve website noticed they were being routed to an IP address that wasn’t tied to the official platform.
For context, the DNS acts like the internet’s phonebook—translating domain names into actual server locations. A compromised DNS means users could unknowingly land on a fake site designed to look like the real one. In Curve’s case, that fake site can drain crypto wallets of unsuspecting visitors.
Curve’s team was quick to assure users that their smart contracts remain secure, meaning the underlying protocol hasn’t been tampered with. However, they did confirm that the site’s domain had been pointed toward a malicious IP address. “We’re working on recovering access. No compromise was found on our infrastructure side,” the team emphasized, adding that their passwords were intact and two-factor authentication had been in place for some time.
This isn’t the first time Curve Finance has faced this kind of threat. A nearly identical DNS spoofing attack occurred in August 2022, where attackers rerouted the DNS to a fraudulent version of the Curve website. Those who interacted with the fake platform saw their funds siphoned off into hacker-controlled wallets.
In this recent incident, onchain security firm Blockaid also detected suspicious activity and advised users to exercise extreme caution. “If you’re connected, please refrain from signing any transactions or interacting with the DApp,” Blockaid wrote, raising the possibility of a frontend exploit—a method where attackers manipulate the visible parts of a website (like buttons, forms, or even wallet prompts) to mislead users and steal funds.
While Curve continues its investigation and works with partners to resolve the breach, users are strongly advised to avoid visiting the curve.fi site or signing any transactions tied to it.
Unfortunately, this DNS hijacking marks the second cyber-related attack on Curve in less than a week. On May 5, the protocol’s official X account was briefly compromised. While that incident did not lead to financial losses, it raised eyebrows about the platform’s vulnerability to targeted social engineering and digital takeovers.
In the May 6 follow-up post, Curve reassured the community that the X account incident was contained, with no impact on other systems or user funds. They added that there were no successful phishing attempts reported, despite the hacker’s brief window to post scam links.
Curve’s challenges reflect a broader trend of rising attacks in the DeFi space. Earlier this year, high-profile X accounts like Tron DAO and even UK lawmaker Lucy Powell were hijacked to promote fraudulent tokens and schemes.
The Curve community, along with the wider DeFi ecosystem, is once again reminded of the critical importance of vigilance and secure digital practices. Until the situation is fully resolved, it’s best to avoid Curve’s web interface and rely only on official, verified communications from the team.
