Advertisement
Advertisement

DeFi Protocol Curve Finance Loses $570K in a DNS Hack

By:
Mohadesa Najumi
Updated: Aug 10, 2022, 11:15 UTC

DNS spoofing was used to hack the site's frontend, while the curve.exchange frontend remained unaffected.

Anonymous hacker

Key Insights:

  • Hackers changed the Domain Name System (DNS) entry for the protocol and stole $570,000 in the process.
  • Curve’s frontend was cloned using a DNS spoofing method. 
  • The hack was a result of Curve’s DNS service provider iwantmyname being compromised. 

Automated market maker Curve Finance (CRV) has suffered an exploit which has led to the loss of hundreds of thousands of dollars.

The team behind the protocol noted that the exploit of the site’s frontend was the result of an attack by a malicious actor, affecting the project’s nameserver.

DNS Hack

The suspected hacker appears to have changed the Domain Name System (DNS) entry for the protocol to redirect the DNS point to another IP address which then added approval requests to a malicious smart contract in order to steal user funds.

More specifically, an illicit actor appears to have cloned Curve’s frontend using a DNS spoofing method which resulted in any transactions being made via the site being redirected to the hackers’ wallets. DNS spoofing is a type of attack in which hackers mimic legitimate server destinations by impersonating another service in order to redirect users to the wrong website.

Curve Finance has stated that the hack was a result of their DNS service provider iwantmyname being compromised, however the project has since changed its nameserver. A nameserver is a server in the DNS that translates domain names into IP addresses and routes traffic across the internet. Nameservers also store and organise DNS records, each of which pairs a domain with one or more IP addresses.

Over $570,000 worth of funds were stolen however, the platform’s smart contract remained unaffected as it was under a different domain name.

In response to the hack, the project stated that users should refrain from performing any approvals, swaps or using curve.fi or curve.exchange until the protocol’s operators could locate the source of the exploit.

Curve Resolves Site Exploit

An hour after the initial warning, the protocol’s operators confirmed that they found the source of the problem and reverted the issue, directing users who had approved any contracts on Curve at the time to revoke them “immediately.”

While the issue was promptly addressed by the team, the protocol also advised users to utilise curve.exchange until the propagation of curve.fi reverted back to normal.

According to the International Data Corporation (IDC), 91% of financial institutions suffered from at least one DNS attack last year, with damages in the sector amounting to nearly $1.1 million per attack. Overall, IDC found that phishing attacks (55%) and DNS-based malware (42%) were the most common attacks affecting the financial industry.

About the Author

Mohadesa Najumi is a British writer who has worked within crypto, forex, financial technology, and the stock market industry. Mohadesa received her MSc in Political Science and International Relations at the University of Amsterdam.

Did you find this article useful?

Advertisement