In early May 2025, Curve Finance, a prominent decentralized finance (DeFi) platform, experienced two significant security breaches. First, its official X account was compromised to promote a fraudulent airdrop. Shortly after, the platform's primary domain, curve.fi, was hijacked, redirecting users to a malicious site designed to steal funds. These incidents underscore the vulnerabilities DeFi platforms face and the importance of robust security measures.
X Account Compromised to Promote Fake Airdrop
On May 5, 2025, Curve Finance's official X account was hacked. The attacker posted a tweet announcing a fake CRV token airdrop, urging users to register via a link that led to a phishing site mimicking Curve's interface. The fraudulent post claimed that users needed to register before a snapshot scheduled for Sunday at midnight UTC to be eligible for the airdrop. This tactic aimed to create urgency and lure users into providing sensitive information or approving malicious transactions.
Curve Finance's founder, Michael Egorov, quickly confirmed the breach, stating that only the X account was compromised and that no other systems were affected. The malicious tweet was deleted, and users were warned not to click on any links shared by the compromised account until full control was restored.
DNS Hijack Redirects Users to Malicious Site
A week later, on May 12, 2025, Curve Finance faced another security incident. The platform's primary domain, curve.fi, was hijacked through a DNS attack. Attackers manipulated the domain's DNS records, redirecting users to a counterfeit website designed to mimic Curve's interface. This fake site contained scripts intended to trick users into approving token transfers to attacker-controlled wallets.
The malicious site remained active for several hours before the issue was identified and addressed. Curve Finance promptly advised users to avoid the compromised domain and instead use the new official domain, curve.finance. The team also confirmed that the attack was limited to the DNS layer and that the platform's smart contracts and core infrastructure remained secure.
Curve Finance's Response and Mitigation Measures
In response to these incidents, Curve Finance took immediate action to mitigate risks and enhance security:
- Domain Migration: The platform permanently moved its official domain from curve.fi to curve.finance to prevent further DNS-related attacks.
- User Advisories: Users were warned to avoid the compromised domain and to be cautious of phishing attempts, especially those involving fake airdrops or urgent calls to action.
- Security Enhancements: Curve Finance committed to implementing additional security measures, including exploring decentralized alternatives like the Ethereum Name Service (ENS) to reduce reliance on traditional DNS infrastructure.
The dual security breaches experienced by Curve Finance in May 2025 highlight the persistent threats facing DeFi platforms. While the platform's swift response and transparent communication helped mitigate potential damages, these incidents remind us of the importance of solid security protocols in DeFi systems.
FAQs
1: What happened to Curve Finance's X account?
On May 5, 2025, Curve Finance's official X account was hacked. The attacker posted a fake CRV token airdrop announcement, directing users to a phishing site designed to steal funds.
2: How was Curve Finance's website compromised?
On May 12, 2025, attackers hijacked the DNS records of Curve.fi, redirecting users to a malicious site that mimicked Curve's interface and aimed to drain user wallets.
3: Is it safe to use Curve Finance now?
Yes, Curve Finance has migrated to a new official domain, curve.finance, and has implemented measures to enhance security. Users are advised to access the platform only through this new domain.
4: Were user funds affected during these incidents?
The platform confirmed that its smart contracts and core infrastructure remained secure during both incidents. However, users who interact with malicious sites may be at risk.
5: What steps is Curve Finance taking to prevent future attacks?
Curve Finance is exploring using decentralized domain services like ENS and has committed to strengthening its security protocols to prevent similar incidents in the future.
