DNS Attack Cause Curve Finance to Move to New Domain

Curve Finance has officially migrated to a new domain—Curve.finance—after a DNS hijack exposed users to phishing threats and highlighted critical vulnerabilities in its previous address, Curve.fi.

The decision, announced on 13 May, was driven by ongoing issues with the .fi domain registrar, including extended downtime and insufficient support during the crisis.

It stated:

“[The] .fi [domain] will be down for too long / no point of moving back. Also registrars who can hold .fi are somewhat not as great as those who can deal with .finance.”

The incident unfolded on 12 May, when attackers manipulated Curve.fi’s DNS records to redirect visitors to a counterfeit site that replicated the platform’s interface.

The malicious clone was designed to deceive users into approving wallet-draining transactions.

While Curve quickly contained the breach at the DNS level and confirmed no internal systems or smart contracts were compromised, the fraudulent site remained active for several hours due to the registrar’s delayed response—despite mounting community reports.

Curve said:

“[The registrar’s] response time is totally unacceptable: we need access to curve [.] fi taken away from hackers and the incident to be investigated.”

Yu Xian, founder of blockchain security firm Slowmist, emphasized the serious risks such domain-level attacks pose to DeFi protocols, noting:

“The phishing gang [was] playing dirty tricks at the front end with fake wallet pop-up scams, directly fishing for mnemonic phrases… I have to say, this is pretty sleazy.”

Following the attack, the Curve.fi domain was frozen, and the team reassured users that the breach was confined to the front-end interface.

“User funds are safe,” Curve stated, underscoring that its core infrastructure remains intact.

CRV Token Free Falls After Hack But Has Since Rebounded

In a troubling repeat incident for the DeFi space, Curve Finance has suffered its second DNS hijack in less than a week—rattling investor confidence and triggering sharp market reactions.

The breach led to a 7% drop in the Curve DAO (CRV) token, which at one point sank to $0.7220.

The attack raised fresh concerns over front-end vulnerabilities, though Curve’s team was quick to reassure users that its smart contracts and core infrastructure remain secure.

Despite the initial selloff, CRV has since rebounded, climbing 6.41% over the past 24 hours to trade at $0.7658, according to CoinMarketCap. https://coinmarketcap.com/currencies/curve-dao-token/

As Curve battles recurring DNS threats, the incident underscores growing scrutiny over domain security in decentralised protocols—and how much damage can be done without ever touching a smart contract.

Curve Grapples with Security Challenges

In 2022, Curve Finance faced a similar DNS hijack that resulted in user losses of roughly $530,000—an incident that, notably, also involved the same domain registrar, iwantmyname.

The latest breach follows closely on the heels of another security lapse: just a week prior, a hacker briefly seized control of Curve’s X (formerly known as Twitter) account, using it to post phishing links.

Although the team swiftly regained access and confirmed no user funds were affected, the back-to-back incidents have alarmed cybersecurity experts.

They warn that attackers are increasingly moving beyond smart contract exploits, instead targeting the broader infrastructure that supports DeFi protocols.

Could this shift signal a new front in Web3 security challenges?