Via their official Twitter handle, the Ethereum-based decentralized finance (DeFi) protocol Curve Finance has confirmed a vulnerability in their nameserver or frontend curve.fi which was successfully reverted. Earlier, the team behind the project advised caution to its users and claimed an investigation has been launched to look into any potential vulnerabilities exploit.
The team behind the project said:
The issue has been found and reverted. If you have approved any contracts on Curve in the past few hours, please revoke immediately. Please use curve.exchange for now until the propagation for curve.fi reverts to normal
The team behind the project shared a potential theory about what could be affecting their frontend. A bad actor might have “cloned” their frontend, making it look like it is the same as the Curve Finance product, to affect people accessing it.
The team behind the project shared the following theory from Lefteris Karapetsas, founder of Rotkia App, about the attack affecting their Domain Name System (DNS):
It’s DNS spoofing. Cloned the site, made the DNS point to their ip where the cloned site is deployed and added approval requests to a malicious contract.
Therefore, anyone attempting to access Curve Finance’s curve.fi frontend should refrain from it until there are more details behind the potential attack. In a separate tweet, the team behind the project said that curve.exchange frontend seems to be unaffected.
Any Curve Finance user should revoke transaction approval for the following ETH smart contract addresses: 0x9Eb5F8e83359Bb5013f3D8eee60bDCe5654e8881 and watch out for transactions from address 0x50f9202e0f1c1577822BD67193960B213CD2f331 which the attacker could be using.
Curve Finance Tokens Sees Correction Following Attack
Curve Finance is, at least, the fourth project to be impacted by this DNS hijacking attack, according to Karapetsas. Other DeFi projects victims of these attacks include Ribbon Finance, DeFi Saver, and Convex Finance. Alex Smirnov, a co-founder of deBridge, said the following about this recent attack:
DNS is always a weak link. Here is how we solve this in deBridge and I think every DeFi project should have this.We have an automated monitoring system that checks the hash of the website and all its files. In case hash is changed, critical monitoring is immediately triggered.
Curve Finance claims that the issue could have originated from iwantmyname a DNS manager, but they are yet to offer more details about the incident. As the attack unveiled, the CRV token recorded a 10% correction in the past 24 hours.