Curve Finance exploit: Experts dissect what went wrong

Published at: Aug. 10, 2022

Decentralized finance (DeFi) protocols continue to be targeted by hackers, with Curve Finance becoming the latest platform to be compromised after a DNS hijacking incident.

The automated market maker warned users not to use the front end of its website on Aug. 9 after the incident was flagged online by a number of members of the wider cryptocurrency community.

While the exact attack mechanism is still under investigation, the consensus is that attackers managed to clone the Curve Finance website and rerouted the DNS server to the fake page. Users that attempted to make use of the platform then had their funds drained to a pool operated by the attackers.

Curve Finance managed to remedy the situation timeously but attackers still managed to siphon what was originally estimated to be $537,000 worth of USD Coin (USDC) in the time it took to revert the hijacked domain. The platform believes its DNS server provider Iwantmyname was hacked which allowed the subsequent events to unfold.

Cointelegraph reached out to blockchain analytics firm Elliptic to dissect how attackers managed to dupe unsuspecting Curve users. The team confirmed that a hacker had compromised Curve’s DNS, which led to malicious transactions being signed.

Related: Cross chains, beware: deBridge flags attempted phishing attack, suspects Lazarus Group

Elliptic estimates that 605,000 USDC and 6,500 DAI were stolen before Curve found and reverted the vulnerability. Utilizing their blockchain analytics tools, Elliptic then traced the stolen funds to a number of different exchanges, wallets and mixers.

The stolen funds were immediately converted to Ether (ETH) to avoid a potential USDC freeze, amounting to 363 ETH worth $615,000.

Interestingly, 27.7 ETH was laundered through the now OFAC sanctioned Tornado Cash. 292 ETH was sent into the FixedFloat exchange and coin swap service. The platform managed to freeze 112 ETH and confirmed the movement of funds according to an Elliptic spokesperson:

“We have been in contact with the exchange, which confirmed a further three addresses that the hacker withdrew funds into from the exchange (these were completed orders that FixedFloat were not able to freeze in time). These include 1 BTC address, 1 BSC Address and 1 LTC address.”

Elliptic is now monitoring these flagged addresses in addition to the original Ethereum-based addresses. A further 20 ETH was sent to a Binance hot wallet, and another 23 ETH was moved to an unknown exchange hot wallet.

Elliptic also cautioned the wider ecosystem of further incidents of this nature after identifying a listing on a darknet forum claiming to sell 'fake landing pages' for hackers of compromised websites.

It is unclear whether this listing, which was discovered just a day before the Curve Finance DNS hijacking incident, was directly related but Elliptic noted it highlights the methodologies used in these types of hacks.

Tags
Related Posts
Transaction batching protocol Furucombo suffers $14 million “evil contract” hack
The latest “evil contract” exploit has netted an attacker over $14 million in stolen funds. Furucombo, a tool designed to help users “batch” transactions and interactions with multiple decentralized finance (DeFi) protocols at once, fell victim to the attack at roughly 4:45 pm UTC, which centered on token approvals from users. The attacker’s address currently has $14 million worth of various cryptocurrencies, but the attack appears to be larger as they have been transferring ETH to privacy mixer Tornado Cash in batches over the last hour. This attack is conceptually similar to the $20 million “evil jar” attack that struck …
Ethereum / Feb. 27, 2021
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
STEPN impersonators stealing users' seed phrases, warn security experts
Peckshield, a prominent blockchain security firm, exposed the existence of numerous phishing websites for the Web3 lifestyle app STEPN on Monday. Hackers insert a forged MetaMask browser plugin through which they can steal seed phrases from unsuspecting STEPN users, according to Peckshield. When these cybercriminals obtain the seed phrase, they gain complete control over the STEPN user's dashboard where they may connect their stolen wallets to their own or "claim" a giveaway as per Peckshield. #PeckShieldAlert #phishing PeckShield has detected a bath of @Stepnofficial phishing sites. They insert a false Metamask browser extension leading to stealing your seed phrase or …
Adoption / April 25, 2022
BitKeep exploiter used phishing sites to lure in users: Report
The Bitkeep exploit that occurred on Dec. 26 used phishing sites to fool users into downloading fake wallets, according to a report by blockchain analytics provider OKLink. The report stated that the attacker set up several fake Bitkeep websites which contained an APK file that looked like version 7.2.9 of the Bitkeep wallet. When users “updated” their wallets by downloading the malicious file, their private keys or seed words were stolen and sent to the attacker. 【12-26 #BitKeep Hack Event Summary】 1/n According to OKLink data, the bitkeep theft involved 4 chains BSC, ETH, TRX, Polygon, OKLink included 50 hacker …
Ethereum / Dec. 26, 2022
DeFi was the most attacked ecosystem in 2022: Finance Redefined
Welcome to Finance Redefined, your weekly dose of essential decentralized finance (DeFi) insights — a newsletter crafted to bring you significant developments over the last week. The DeFi ecosystem started 2023 on a bullish note, similar to the broader cryptocurrency market. However, the bullish start to the year didn’t diminish the damage caused by vulnerabilities and attacks in 2022. A new research report has highlighted that DeFi was the most vulnerable crypto ecosystem, at the receiving end of 113 exploits out of the total 167. On top of that, blockchain security experts have warned the trend could continue in 2023. …
Ethereum / Jan. 13, 2023