Cyber Incident Victim: Curve Finance
Date:
Aug 2022
Location:
United States of America
Summary
A decentralized cryptocurrency exchange was compromised through a DNS attack that cloned its website, redirecting users to a fraudulent platform where they were prompted to approve malicious contracts resulting in the theft of at least $770,000 from their wallets. The attackers exploited vulnerabilities in web2 infrastructure relied upon by web3 systems, highlighting risks associated with cross-chain bridges and the targeting of crypto exchanges for rapid financial gain. Users were advised to revoke suspicious contract approvals and temporarily switch to an alternative domain while the primary site was secured.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around August 8, 2022, decentralized cryptocurrency exchange Curve Finance experienced a security breach involving DNS infrastructure compromise. Threat actors cloned the legitimate curve.fi domain to create a fraudulent copy of the Curve Finance website, redirecting user traffic to this imitation platform. Visitors to the fake site were prompted to approve a malicious smart contract, which enabled attackers to withdraw funds directly from users' cryptocurrency wallets. The incident resulted in confirmed losses of at least $770,000 stolen from Curve Finance users who interacted with the fraudulent contracts. Curve Finance detected the compromise and issued warnings to its user base through Telegram communications, advising immediate revocation of any contract approvals granted through the fake interface. The platform directed users to temporarily utilize the curve.exchange domain while DNS propagation issues affecting curve.fi were being resolved.
The attack exploited vulnerabilities in web2 infrastructure components that support web3 platforms, specifically targeting DNS systems to facilitate the phishing scheme. Security analysts characterized the incident as part of broader systemic risks where traditional web infrastructure weaknesses enable cryptocurrency theft. Cross-chain bridges were noted as particularly vulnerable due to their structural complexity and high asset concentrations, though this specific attack vector did not directly exploit bridge protocols. Financial impact quantification remained partial, with only the confirmed $770,000 loss explicitly documented. Curve Finance's response focused on user notification and temporary domain migration while addressing the DNS compromise. Industry experts observed that cryptocurrency exchanges remain prime targets due to the immediate financial payoff achievable through successful attacks compared to other cybercrime methods requiring extended operational timelines. The incident underscored ongoing security challenges at the intersection of decentralized finance platforms and centralized internet infrastructure components.