On Tuesday, DeFi protocol Curve Finance suffered a front-end exploit, with attackers managing to steal around $573,000.
Paradigm researcher samczsun, first brought it to notice and warned users from using the protocol. Shortly after, Curve Finance tweeted that it’s investigating the issue.
???@CurveFinance frontend is compromised, do not use it until further notice!
— samczsun (@samczsun) August 9, 2022
Hackers were able to hijack CurveFi’s DNS system and instate a replica website with a malicious contract on the homepage. Any interaction with the contract would immediately drain out the wallet. Unwitting users who fell prey to this lost all of their funds. Curve clarified that it’s other website curve.exchange used a different DNS server and remained unaffected.
CurveFi, which uses automated matchmaking for trading stablecoins and other cryptocurrencies, urged the domain registrar iwantmyname.com to “please do something.”
Dear @iwantmyname, looks like something is compromised on your side (most likely, name servers – they seem to override what the UI tells them to serve). Please do something.
— Curve Finance (@CurveFinance) August 9, 2022
For everyone else: we switched nameserver, but don't rush to use https://t.co/vOeMYOTq0l – wait a bit
According to on-chain data, the malicious contract drained over $573,000 in USDC and DAI from eight different wallets. The funds were then converted to ETH and transferred to crypto exchange FixedFloat in batches of 45 and 20-25 ETH.
FixedFloat tweeted that it had frozen about 112 ETH or approx $191,000 of the transferred funds.
Our security department has frozen part of the funds in the amount of 112 ETH. In order for our security department to be able to sort out what happened as soon as possible, please email us: [email protected]
— FixedFloat⚡️ (@FixedFloat) August 9, 2022
“We switched nameserver, but don’t rush to use http://curve.fi – wait a bit,” Curve tweeted.
A few hours later, the decentralized exchange posted that the issue had been fixed and advised users to revoke any contract signed in the past few hours.
The issue has been found and reverted. If you have approved any contracts on Curve in the past few hours, please revoke immediately. Please use https://t.co/6ZFhcToWoJ for now until the propagation for https://t.co/vOeMYOTq0l reverts to normal
— Curve Finance (@CurveFinance) August 9, 2022
This is the third high-profile case of the month following the Solana wallet exploit and the Nomad bridge hack, leading to the loss of millions worth of tokens. If anything, the crypto community – including the users and protocols – should be on its toes in an industry rife with relentless hacking incidents.