The attackers managed to attack the Curve Finance project without interfering with its smart contracts.

Cryptocurrency theft through domain names: the Curve Finance case

28.05.2025

527

3 min

Throughout the history of cryptocurrencies, many criminal schemes have been devised to steal them. GetBlock AML Research explains how attackers can get hold of your cryptocurrency without interfering with the blockchain and smart contracts.

Precedent

On May 12, 2025, users of Curve Finance, a large decentralized exchange, began to be exposed to a fake copy of the trading platform that was created by attackers to steal cryptocurrency. It turned out that hackers conducted an attack on the Domain Name System (DNS) and took possession of Curve’s domain name (curve.fi).

Curve domain hacking alert

Manipulation of DNS servers resulted in everyone who wanted to open Curve Finance exchange in their browser being redirected to a malicious website. The project has already faced a similar attack in 2022.

How this is possible

The Domain Name System (DNS) works similarly to a phone book. A domain name (e.g., getblock.net) is assigned to the IP address of the server where the website is located. The system is implemented so that users can get to websites on the Internet via a convenient text link, without having to remember the correct IP address.

In the case of the attack on Curve Finance, the hackers were able to bypass the protection of the iwantmyname service, which provides domain name registration and management services. They then simply replaced the IP address assigned to the domain with another one that led to a malicious copy of Curve’s website.

Curve developers criticized the iwantmyname service for its slow response to the hack

The danger of such an attack is that spoofing the original website with a malicious one is difficult to detect. At the time of the attack, the Curve Finance team was unaware that users had lost access to the authentic version of the website. The spoofing occurred at 20:55 UTC and the attack was spotted by the Curve team at 21:20 UTC.

The Curve team confirms that the trading platform infrastructure is unaffected by the attack

How Curve responded

  • The project team notified users about the danger through all available communication channels (e.g. Discord and X);
  • Curve developers contacted the domain name registrar iwantmyname and requested the removal of the compromised domain;
  • After the compromised domain was removed, a new domain name (curve.finance) was registered again.

Notification of users about registration of a new domain name

The peculiarity of the DNS spoofing attack is that the entire project infrastructure remains safe. Curve Finance smart contracts were unaffected, as well as user funds. During the attack period, the trading platform processed $400 million worth of transactions.

Protecting a project from DNS attacks

The situation with Curve Finance shows that many decentralized systems still continue to be dependent on a centralized web2.0 infrastructure. Here are the main ways that can help reduce this dependency:

  • Have multiple domain names (mirrors) to make hacking more difficult. Even if one domain name is compromised, users will be able to access the service using other available addresses;
  • Use only trusted and reliable companies that provide domain name registration and management services;
  • Use alternative domain zones, such as the Ethereum Name Service (ENS), which allows you to register a .eth domain.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy