Curve Finance warns users after website and X account hacks

Top decentralized exchange Curve Finance has warned users to avoid its curve.fi website due to an ongoing DNS hijacking attack, which redirects users to a malicious wallet drainer. 

Last week, Curve’s X account was hacked to promote a phishing website, another common scam facing crypto users.

Approximately two hours after the initial alert, Curve confirmed that curve.fi “points to a malicious site which can drain your wallet!” Co-founder Michael Egorov steered users towards the platform’s other front-end, curve.finance, in the meantime. 

A later update confirmed that “the protocol itself remains fully operational and secure.”

While all smart contracts are safe, the domain name points to a malicious site which can drain your wallet!

We are investigating and working on recovering the access.

No sign of a compromise on our side https://t.co/YUmwtwt5PH

— Curve Finance (@CurveFinance) May 12, 2025

Read more: Compound Finance and Celer Network websites compromised in ‘front-end’ attacks

According to decentralized finance (DeFi) dashboard DeFiLlama, Curve is the sector’s fourth-largest exchange, active on nine blockchains and with a total value locked (TVL) of around $2 billion.

Front-end attacks are just one of multiple dangers facing DeFi users. Hackers don’t directly target a project’s underlying liquidity pools, oracles or other smart contracts.

Instead, they aim to trick individual users who believe they are interacting with a legitimate website into signing malicious transactions.

Many of DeFi’s most well-known projects have been targeted by this attack vector in the past, including 2021’s “approvals harvesting” heist of Badger DAO users, which netted attackers $120 million, including 896 bitcoins (BTC) — worth around $40 million at the time — from now-defunct Celsius.

In fact, this isn’t even Curve’s first tangle with front-end hijacking. In 2022, the curve.fi site was also spoofed, leading to around $570,000 of losses from unfortunate users.

The DNS registrar named-and-shamed in the wake of the first incident, iwantmyname, was again called out publicly by Curve, which says its “response time is totally unsacceptable [sic].”

The decision to remain with the registrar appears to be down to limitations related to the .fi domain, and that Curve intends to phase it out.

Dear @iwantmyname. Your response time is totally unsacceptable: we need access to curve [.] fi taken away from hackers and the incident to be investigated. As of now, DNS still points to a drainer which can lead users to lose millions if they interact with it!

— Curve Finance (@CurveFinance) May 13, 2025

Read more: Abandoned DeFi websites used to host crypto wallet drainers

Curve balls

Curve has faced plenty of trials and tribulations since its launch in 2020’s so-called “DeFi Summer.” Even the Curve DAO itself was yeeted into existence by anonymous user 0xc4ad who claimed to have found the governance contracts “ready to rock” and decided to deploy them themself.

Last year, Egorov’s heavily leveraged CRV positions were hit with a liquidation cascade, sending the token’s price plummeting.

The positions had been in limbo ever since the hack, which hit some of the exchange’s liquidity pools for around $70 million in the summer of 2023.

Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.