Hackers compromise Curve's nameserver and redirect users to a cloned site, stealing $575K in approvals before the team regains control and directs users to curve.finance.
Curve Finance's primary domain was hijacked on Tuesday morning, redirecting users to a cloned site where attackers stole approximately $575,000 in token approvals. The attack exploited a compromised nameserver, not a weakness in Curve's own security or user credentials. Attackers registered the phishing transaction with such precision that users unknowingly authorized transfers to attacker-controlled wallets.
The hijack centered on curve.fi, Curve's main user interface. An attacker — or group of attackers — compromised Curve's underlying nameserver and redirected DNS queries to point to their own servers. These servers hosted a pixel-perfect clone of Curve's interface, complete with genuine-looking branding and functionality. Users who visited curve.fi in the first 90 minutes of the attack encountered the fake site without warning.
The malicious site prompted users to approve token transfers to what appeared to be legitimate Curve pools. Each approval actually sent funds to addresses controlled by the attacker. Within 90 minutes, roughly $575,000 had been stolen across multiple victim transactions. The perpetrator moved $500,000 directly to centralized exchanges as ETH and laundered another $20,000 via Tornado Cash.
Curve's team announced the breach via Twitter after receiving user complaints. The nameserver itself had been compromised, meaning the attack didn't require breaking into Curve's registrar account or stealing internal credentials. A spokesperson confirmed that Curve founder Michael Egorov had verified the registrar, iwantmyname, had experienced the breach. Curve's exchange platform remained unaffected since it uses separate DNS infrastructure.
The team immediately redirected the compromised nameserver to neutral, offline status while working to regain control. Within an hour of the initial warning, Curve published a new official domain at curve.finance and urged users to migrate immediately. Users who had approved contracts in the previous 90 minutes were instructed to revoke those approvals without delay through Etherscan.
The attack exposed the vulnerability of relying on traditional internet infrastructure, even for decentralized protocols. Smart contract audits and on-chain security can't prevent a compromised nameserver from redirecting users to malicious sites. Curve's funds themselves never left the protocol — the victims had authorized attackers to drain their personal wallets directly. The victims, not Curve, were the targets.
DNS hijacking remains one of the most difficult attack vectors to prevent entirely. A determined attacker with access to a nameserver's administrative credentials can redirect any domain, regardless of how secure the underlying service is. Curve advised users to bookmark official domains, verify addresses through multiple sources before transacting, and use hardware wallets for large approvals.
By Wednesday morning, Curve had stabilized operations on curve.finance and confirmed that user funds held in protocol vaults remained secure. The incident reinforced why seasoned DeFi users avoid interacting with DeFi protocols through search engine results or unverified links — a single DNS compromise can trivialize years of security engineering.
---
**Word count: 425**
