Aug 10, 2022 Frank Stewskid
Curve Finance got exploited through its DNS provider iwantmyname whose nameservers got hacked
Curve Finance’s curve.fi website got exploited due to its DNS being compromised. The Curve Finance team took it to Twitter to warn their userbase about the hack and urged the community to revoke any approvals they might have given to smart contracts they interacted with through the Curve.fi website during the last 24 hours. Although at first it was only known that the front-end of the platform had been compromised, it was later established that this is the result of a DNS hijacking attack, as the other platform’s website curve.exchange used by the project’s exchange platform remained unaffected and it uses a different DNS provider.
Just an hour after the announcement of the exploit’s discovery, the Curve team reassured its community the attack has been dealt with and a fix has been issued, however, if users had approved any contract after interacting with Curve, they were once again urged to revoke these approvals. No details about how the name servers were compromised were shared besides an assumption made by the Curve Finance team that their DNS provider iwantmyname most likely got hacked.
That we don't know. Most likely, @iwantmyname themselves got hacked
— Curve Finance (@CurveFinance) August 9, 2022
According to crypto researcher and self-proclaimed “2D detective” ZachXBT the Curve.fi hack resulted in $570,000 stolen and the attacker started transferring funds to the automatic cryptocurrency exchange FixedFloat.
Looks like $570k stolen
— ZachXBT (@zachxbt) August 9, 2022
0x50f9202e0f1c1577822BD67193960B213CD2f331 pic.twitter.com/IG6nIKVv59
At the same time, FixedFloat stated that its security department has frozen part of the funds transferred from the wallet address suspected to be related to the Curve attack, amounting to 112 ETH, and were waiting for further details. Moreover, the attacker was noticed to have immediately swapped USDC to ETH out of fear of getting blacklisted by Circle, the USDC stablecoin’s issuer.
Our security department has frozen part of the funds in the amount of 112 ETH. In order for our security department to be able to sort out what happened as soon as possible, please email us: [email protected]
— FixedFloat⚡️ (@FixedFloat) August 9, 2022
Other Twitter users were quick to note that the malicious smart contract was created on July 25, 2022, and the creator of it was moving funds through the infamous cryptocurrency mixer Tornado Cash.
Malicious contract creator has already started moving the funds through @TornadoCash
— CryptoShine (@CryptoShine) August 9, 2022
contract creator: 0x50f9202e0f1c1577822BD67193960B213CD2f331 pic.twitter.com/fJi9aEUi0Y
All Curve.fi issues have since been fixed and a post-mortem is expected to be released soon.
Updates should have propagated for https://t.co/vOeMYOTq0l everywhere by now, which means it should be safe to use
— Curve Finance (@CurveFinance) August 10, 2022