Curve Domain Incident

On May 12th, 2025, at approximately 20:55 UTC, the Curve Finance frontend hosted at the .fi domain experienced a domain hijacking attack at the registrar level, unrelated to any breach of Curve’s infrastructure. Attackers managed to access the registrar and change the DNS settings.

Users attempting to access the official Curve website were instead redirected to a malicious site that mimicked the Curve homepage — a static decoy that did not function as a real frontend and only attempted to prompt users for wallet signatures.

Our Response

While the registrar was slow to respond, the Curve team acted swiftly and successfully escalated the issue upstream. As a result, the .fi domain was pointed to neutral nameservers and thus taken offline while we worked on regaining control of it. To ensure users could still access the frontend and manage their funds safely, we quickly provided a safe alternative at https://www.curve.finance/, which now serves as the official access point for the Curve Finance interface for the time being. 

Upon discovery of the exploit at 21:20 UTC, the following immediate steps were taken:

• Alerted users via our official channels
• Requested a takedown of the compromised domain
• Began mitigation and domain recovery procedures
• Engaged security partners and the registrar to coordinate a response

Funds and Data Are Safe

While the domain was compromised, the Curve protocol and its smart contracts remained fully secure and operational and continue to be so. During the frontend outage, Curve still processed over $400 million in on-chain volume, demonstrating the resilience and integrity of the protocol. No data was compromised as Curve’s frontend does not store any user data.

The team can be reached at all times via its Discord server. Users are invited to open tickets to address any inquiries or concerns.

How it happened

The attacker gained access to the systems of the domain registrar iwantmyname. They then modified the DNS delegation of the curve[.]fi domain to point to their own DNS server, allowing them to reroute traffic. The exact method of compromise is still under investigation, as there are no signs of unauthorized access or compromised login credentials.

Registrar-level attacks like this are rare but impactful, having previously affected other DeFi projects, highlighting that it's a critical vulnerability across all DeFi apps relying on traditional DNS infrastructure.

We believe this underlines the need for an industry-wide shift toward decentralized naming systems, such as the Ethereum Name Service (ENS). We need to take action and influence major browsers providers to add support for ENS domains (like curve.eth) to offer a safe, blockchain-verified alternative to legacy DNS, eliminating this entire attack vector.

Next Steps

We are currently:

• Reviewing and upgrading our registrar-level security measures, including additional protections and registrar alternatives
• Exploring decentralized frontend solutions to remove reliance on vulnerable web infrastructure
• Collaborating with the wider DeFi and ENS ecosystems to push for browser-native support of .eth domains

Despite our efforts, the response from the registrar has been slow and uncooperative, and we continue to pursue recovery through all available channels.

We are incredibly grateful for the continued support and trust of our users and partners. Incidents like this strengthen our resolve to build a safer, more decentralized future for DeFi. We remain committed to transparency, user protection, and continued innovation. If you have any questions or concerns, we are always open to speaking directly, so please don’t hesitate to reach out.