The protocol reported that an exploit on the site’s nameserver and front end resulted in a loss of over $573k. The protocol has since reported that the problem has been fixed.
Automated Market Maker Curve Finance took to Twitter on Tuesday, warning users of an exploit on its site. The Curve team acknowledged the issue affecting the site’s front-end and nameserver, which appeared to be orchestrated by a malicious actor. The protocol stated on Twitter,
“We are becoming aware of a potential front-end issue that is approving a bad contract,” the Telegram announcement read. “For now, please do not perform any approvals or swaps. We’re trying to locate the issue, but for now, for your safety, do not use Curve.fi or curve.exchange.”
In the a second announcement shortly after the initial one, stating they had found the source of the problem and addressed the issue. However, the protocol has asked users to revoke any contract approvals they may have conducted over the past few hours when the protocol’s front end and nameserver were compromised.
“If you have approved any contracts on Curve in the past few hours, please revoke immediately.”
Curve stated in a follow-up that its exchange, which is a separate product, was unaffected by the hack. This is because the exchange uses a different domain name system (DNS) provider. The protocol added that users should continue to use the Curve.exchange until Curve.fi reverts to normal.
“The issue has been found and reverted. If you have approved any contracts on Curve in the past few hours, please revoke them immediately. Please use http://curve.exchange for now until the propagation for http://curve.fi reverts to normal.”
According to Curve, the hacker appeared to have changed the domain name system entry for Curve Finance. This forwarded users to a fake clone, which approved a malicious contract. However, the program’s contract was not compromised by the hack.
While the attack on Curve Finance was ongoing, Twitter users tried to find the source of the attack. User LefterisJP speculated the attacker had used DNS spoofing to execute the attack on Curve.
“It’s DNS spoofing. Cloned the site, made the DNS point to their IP where the cloned site is deployed, and added approval requests to a malicious contract.”
Other users on Twitter were quick to warn fellow users about the ongoing exploit, stating that the protocol’s front-end had been compromised, while others noted that the hacker(s) had stolen over $573k.
Don’t worry, we hate spam too
one weekly digest, just the important stuff.