What Curve Finance’s 2022 DNS hijack reveals about Web3’s hidden reliance on centralized infrastructure—and how to defend against similar attacks.

Case Study: Curve Finance

Incident: DNS Hijack of DeFi Frontend

Date: August 9, 2022

Overview

Curve Finance, a decentralized exchange protocol on Ethereum known for its stablecoin AMM pools, experienced a domain name system (DNS) hijack on August 9, 2022. While the platform’s smart contracts remained secure and functional, its primary web interface (curve.fi) was compromised through an attack on its DNS provider. The attacker redirected users to a cloned website designed to deceive them into approving malicious wallet transactions. The attack exposed critical risks in Web3’s reliance on Web2 infrastructure.

—

🔐 Want the full framework? Download DomainSure’s guide to Domain & DNS Security for Crypto, DeFi and Web3 Platforms.

—

Timeline of Events

• August 9, 2022 (20:20 UTC): Users began reporting unusual prompts on the Curve.fi interface. The site was redirecting users and triggering unfamiliar transaction approvals.
• Minutes Later: Curve Finance acknowledged the issue on Twitter, warning users to avoid using the site.
• Same Day: The team redirected users to a secure backup domain (curve.exchange).
• Within 1 Hour: Curve identified that the DNS for curve.fi had been hijacked. The team took control by switching to a new nameserver.
• August 10, 2022: DNS records fully propagated, restoring safe access to the site. The fraudulent site was taken offline. Users were instructed to revoke any permissions granted during the breach window.

Nature of the Breach

The attacker successfully hijacked DNS records associated with curve.fi. Rather than breaching Curve’s systems directly, the attacker exploited the DNS provider used by Curve, a company named “iwantmyname.” This constituted a supply-chain attack against a Web2 service.

The attacker redirected traffic from curve.fi to a fraudulent replica of Curve’s frontend. The site appeared legitimate but injected malicious code prompting users to approve unauthorized smart contracts. As a result, when users interacted with the fake interface, their wallet approvals gave the attacker access to transfer tokens.

The attack bypassed all Curve smart contracts, demonstrating how Web3 applications can be vulnerable at their centralized access points despite decentralized back-ends.

Consequences

• Financial Impact: Approximately $570,000 to $615,000 USD in cryptocurrency was stolen. CertiK’s investigation found seven user wallets had signed malicious contract approvals, leading to the loss of funds.
• Asset Laundering: The stolen tokens were converted into ~363 ETH. Some of the ETH was routed through Tornado Cash. Approximately 112 ETH was frozen by FixedFloat, and Binance identified and halted additional withdrawals.
• Reputational Impact: While Curve’s smart contracts were untouched, the incident highlighted risks stemming from traditional infrastructure. The brand’s trust was temporarily affected, and the incident served as a cautionary example across the industry.

Detection and Immediate Response

The Curve community and team responded quickly:

• Social media users flagged the issue within minutes of the DNS hijack.
• Curve Finance immediately alerted users via Twitter to avoid using the site and switched traffic to curve.exchange.
• The DNS hijack was confirmed and mitigated by updating the domain’s nameservers.
• Users were advised to revoke wallet permissions if they had interacted with the site during the incident window.

Public Communication and Coordination

Curve maintained transparency throughout the event:

• Real-time updates were issued via Twitter.
• Curve’s founder, Michael Egorov, confirmed that the root cause was not a user account compromise but rather a breach at the DNS provider level.
• Curve acknowledged that its registrar, iwantmyname, had a nameserver vulnerability that was exploited.
• The team publicly thanked FixedFloat and Binance for assisting in recovering stolen funds.
• Security analysts (CertiK, Elliptic) and news sites (Cointelegraph, rekt.news) documented and shared insights from the attack.

Strategic Takeaways

1. DNS Infrastructure Is a Single Point of Failure

Curve’s DNS hijack highlights that despite decentralized smart contracts, many Web3 applications remain reliant on centralized infrastructure. Attackers bypassed blockchain protections by exploiting Web2 systems.

2. Registrar and DNS Providers Must Be Treated as Critical Vendors

The attack originated from a supply chain vulnerability at the DNS provider, not from Curve’s own operational systems. Web3 organizations must evaluate registrar vendors with the same rigor as core infrastructure.

3. Real-Time Incident Response Is Critical

Curve’s ability to detect, communicate, and mitigate the threat quickly likely limited financial and reputational losses. Prompt alerts, a working backup domain, and cooperation with partners helped contain the breach.

4. User Education on Wallet Approvals

The attack succeeded only when users approved unexpected wallet permissions. Ongoing education around wallet safety and approval hygiene is necessary, especially during UI disruptions.

—

For a broader overview of the risks tied to DNS infrastructure, this best practices post breaks it down across registrar, DNS, and phishing layers.

—

Mitigation Actions Taken

• Curve updated DNS nameservers and rotated registrar credentials.
• The project reaffirmed a commitment to infrastructure audits.
• DNSSEC (Domain Name System Security Extensions) was likely implemented to mitigate future spoofing.
• Curve directed traffic to a backup domain (curve.exchange), which remained unaffected.
• Users were advised to use tools that allow revoking token permissions.

Industry Implications

This case triggered broader discussions about how reliant DeFi still is on Web2 components:

• Teams across the industry re-evaluated registrar and DNS setups.
• Projects began implementing registry locks and DNS monitoring.
• Several organizations started considering decentralized hosting alternatives such as IPFS and ENS.
• Monitoring for phishing clones and DNS propagation delays became more standard in deployment protocols.

Conclusion

The Curve Finance DNS hijack was not a failure of smart contract design, but of Web2 access infrastructure. It demonstrated that the path of least resistance for attackers often lies in centralized components like DNS.

The incident reinforces the need for crypto and Web3 platforms to secure their entire stack, including registrar accounts and DNS settings. For critical infrastructure like DeFi, domain and DNS security must be treated as a first-class priority.

For projects looking to address these risks proactively, platforms like DomainSure provide enterprise-grade protection against DNS hijacks, typosquats, and Web2 compromise vectors.

—

Want to prevent a DNS breach like this from happening to your platform?

👉 Download the free Domain & DNS Security for Crypto, DeFi and Web3 Platforms white paper

👉 Schedule a DomainSure Demo Today

Apply for a Domainsure Invite

Get a Free Domain Health Check

• Enter Your Name
• Free domain health check:
• Enter Your Email
• Comments
  This field is for validation purposes and should be left unchanged.

Due to high demand: allow up to 24 hours for report delivery.