en
Back to the list

Here's What Happened During Curve Finance's Hijacking That Put Funds at Risk

source-logo  u.today 10 August 2022 06:58, UTC

DeFi protocol Curve Finance has reported an exploit on its site. The alert was first raised by paradigm researcher "samczsun," who reported that the Curve Finance frontend was compromised and, hence, warned users against its use. The team behind the protocol immediately alerted users while stating they were investigating the matter.

Dear @iwantmyname, looks like something is compromised on your side (most likely, name servers - they seem to override what the UI tells them to serve). Please do something.

For everyone else: we switched nameserver, but don't rush to use https://t.co/vOeMYOTq0l - wait a bit

— Curve Finance (@CurveFinance) August 9, 2022

The problem, which seemed to be an attack on the service's nameserver and frontend, was quickly identified by the team. Curve said through Twitter that their exchange appeared to be untouched by the hack as it uses a different domain name system (DNS) provider.

Don't use the frontend yet. Investigating! https://t.co/8kmtpGsLQQ

— Curve Finance (@CurveFinance) August 9, 2022

Additionally, it warned that Iwantmyname, the DNS server provider, had been compromised and that its nameserver had been changed as a result.

Don't use https://t.co/vOeMYOTq0l site - nameserver is compromised. Investigation is ongoing: likely the NS itself has a problem

— Curve Finance (@CurveFinance) August 9, 2022

In a Twitter post, Steven Ferguson, the founder of TCPshield, recounts what happened during the breach. The alleged hacker altered the protocol's DNS record, redirecting users to a false clone and approving a malicious contract.

Upon initial investigation, this did not appear to be a hijack at the registrar level, but rather systems at @iwantmyname compromised themselves.

— Steven Ferguson (@szferguson) August 9, 2022

But the team moved fast to solve the problem. After issuing the original warning, Curve announced that it had identified and fixed the problem and advised users to "immediately" withdraw any contracts they had just approved. Additionally, it made clear which contract needed to be revoked.

The contract that needs to be revoked is: 0x9eb5f8e83359bb5013f3d8eee60bdce5654e8881 If you have approved it please revoke it immediately on https://t.co/9wuWm99AQv https://t.co/2zqnMlqxQE

— Curve Finance (@CurveFinance) August 9, 2022

According to reports, over $570,000 were stolen in the brief attack.

u.today