Over $530k was stolen from Curve Finance Tuesday after a hacker was able to take control of the nameserver to reroute the DNS to a malicious server. The front end of the Curve website was cloned to trick users into believing they were interacting with a legitimate site.
On the surface, the SSL certificate, domain name, and website content were identical to the real version of the site, giving users little chance to identify the exploit. The correct IP for Curve’s server has been released and information on how to check this can be found at the end of this article.
Don’t use the frontend yet. Investigating! https://t.co/8kmtpGsLQQ
— Curve Finance (@CurveFinance) August 9, 2022
Within an hour, Curve had updated its Twitter account to pinpoint the malicious contract that should be revoked from all users’ wallets. The update followed a statement confirming that the platform had “found and reverted” the issue.
The issue has been found and reverted. If you have approved any contracts on Curve in the past few hours, please revoke immediately. Please use https://t.co/6ZFhcToWoJ for now until the propagation for https://t.co/vOeMYOTq0l reverts to normal
— Curve Finance (@CurveFinance) August 9, 2022
As of 7 PM GMT on August 10, Curve advises users to take additional precautions when interacting with its dApp. The issue has been resolved, but not all DNS records have been updated worldwide at this time. Users who understand how to verify an IP are safe to use the platform; others should use curve.exchange in the meantime.
We’ll tweet when we’re certain that ALL DNS records on all NS servers in the world are entirely up to date and the https://t.co/vOeMYOTq0l address is definitely safe to use https://t.co/kfODENPHFS
— Curve Finance (@CurveFinance) August 10, 2022
Tether’s CTO Paolo Ardoino commented on the hack Wednesday afternoon to state,
“This attack demonstrates once again that the ingenuity of hackers presents a near and ever-present danger to our industry… We applaud Curve for its ability to be able to pinpoint the source of the hack, and speedily act. This is exactly how a protocol should react during a time when customers’ funds are at risk.”
How to check if curve.fi resolves to the correct server
For those wishing to use Curve Finance the following methods can be used to check how the IP address resolves at your location.
Windows
- Press “Windows + R”
- In the Run dialogue box, type “cmd” and hit enter
- A window will open, and it in type “ping curve.fi”
- The result should return the IP address “76.76.21.21”
- If it does, then your current internet connection is resolving to the correct server for the domain
Mac
- Press “Cmd + Space”
- Type “terminal” and open the “Terminal” app
- A window will open, and it in type “ping curve.fi”
- The result should return the IP address “76.76.21.21”
- If it does, then your current internet connection is resolving to the correct server for the domain
However, in an abundance of caution, users are still advised to use curve.exchange until the Curve team releases a further update to confirm all DNS records have propagated.