Exchange liquidity protocol Curve Finance was targeted by hackers who took away approximately $570k, per a screenshot of the protocol’s wallet shared on Twitter on 9th August.
“We are becoming aware of a potential front-end issue that is approving a bad contract. For now, please do not perform any approvals or swaps. We’re trying to locate the issue, but for now, for your safety, do not use curve.fi or curve.exchange,” the Telegram announcement read.
Upon initial investigation, the team revealed that the attack was suspected to be a breach at the system @iwantmyname instead of the registrar level. “The contract that needs to be revoked is: 0x9eb5f8e83359bb5013f3d8eee60bdce5654e8881 If you have approved it please revoke it immediately on https://revoke.cash”, it added.
The team behind the project also spun the following theory from Lefteris Karapetsas, founder of Rotkia App, about the attack affecting their Domain Name System [DNS],
“It’s DNS spoofing. Cloned the site, made the DNS point to their IP where the cloned site is deployed, and added approval requests to a malicious contract.”
From the above details, the hacker likely manipulated the domain name system entry for the protocol, redirecting users to a fake clone and approving a malicious contract. However, the program’s contract remained unaffected by the onslaught.
Curve Finance’s Native Token Down By 8%
Curve Finance is a popular automated market maker [AMM] that offers an efficient way to swap tokens while maintaining low fees and low slippage by only accommodating liquidity pools made up of similarly behaving assets.
Following the incident, the CRV token registered a dip of 8% but has posted a marginal recovery of 5%.
Immediately after the announcement, the decentralized finance [DeFi] protocol’s operators said via Telegram that they found the root cause of the problem and fixed it.
“If you have approved any contracts on Curve in the past few hours, please revoke immediately,” they continued. The protocol also advised users to use curve.exchange until the propagation of curve.fi reverts to normal.
“Updates should have propagated for http://curve.fi everywhere by now, which means it should be safe to use.”