Users of Curve Finance were urged to immediately stop all activity on the platform after the project team reported a renewed attack on their infrastructure on May 12. This time, the incident involved a compromise of the DNS — the domain name system of the website, which now redirects visitors to a fake page capable of draining their wallets.
What Happened
The Curve Finance team issued a warning on X, stating: “curve.fi DNS may have been hijacked.” Later, developers clarified that the domain “resolves to an incorrect IP,” which may indicate a takeover of the domain name system.
Curve assured users that the protocol’s smart contracts were not affected and that two-factor authentication had long been enabled. However, the fact that the domain now points to a malicious IP address has been confirmed.
Impact on Users
Experts from Scam Sniffer recommended users completely avoid interacting with Curve’s frontend, warning that the attack may have compromised the client side of the website — interface elements like forms and buttons could have been replaced with malicious components.
“If you're already connected to the site, do not sign any transactions or interact with the application. We’re working with partners and will provide more information shortly,” said the onchain security firm Blockaid.
The Trust Wallet team, using a security scanner from HashDit, also confirmed that the Curve domain redirects to a malicious website and poses a security threat.
David Zhang, co-founder of Stably, pointed out that the attack was rather primitive.
“The hackers didn’t even try hard — they simply replaced the website with a screenshot that included a clickable drainer link. It could’ve been much worse,” he said.
CRV Token Reaction and Background
Following the news, the price of the CRV token dropped by 6.97% in 24 hours, falling to $0.7215.
This is the second time in a week that Curve Finance has been targeted. On May 5, unknown actors gained access to Curve’s official X account. That incident caused no damage, and the account was quickly restored. The team clarified that no other Curve services were affected and no users were harmed by the phishing links that had been posted. The investigation remains ongoing.
This post is for informational purposes only and is not an ad or investment advice. Please do your own research making any decisions.
