On Tuesday, automated market maker Curve Finance took to Twitter to warn users of an exploit on its site. The team behind the protocol noted that the issue, which appeared to be an attack from a malicious actor, was affecting the service’s nameserver and frontend.
Kullanma https://t.co/vOeMYOTq0l site – ad sunucusunun güvenliği ihlal edildi. Soruşturma devam ediyor: Muhtemelen NS'nin kendisinde bir sorun var
- Curve Finance (@CurveFinance) Ağustos 9, 2022
eğri belirtilen via Twitter that its exchange — which is a separate product — appeared to be unaffected by the attack, as it uses a different domain name system (DNS) provider.
However, the issue was quickly addressed by the team. An hour after the initial warning, Curve said it had both found and reverted the issue, directing users who have approved any contracts on Curve in the last few hours to revoke them “immediately.”
Sorun bulundu ve geri alındı. Son birkaç saat içinde Curve'de herhangi bir sözleşmeyi onayladıysanız, lütfen derhal iptal edin. Lütfen kullan https://t.co/6ZFhcToWoJ şimdilik yayılıma kadar https://t.co/vOeMYOTq0l normale döner
- Curve Finance (@CurveFinance) Ağustos 9, 2022
Curve noted that, most likely, the DNS server provider Iwantmyname was hacked, adding that it has subsequently changed its nameserver.
A nameserver works like a directory that translates domain names into IP addresses.
While the exploit was ongoing, Twitter user LefterisJP speculated that the alleged attacker had likely utilized DNS spoofing to execute the exploit on the service:
DNS sahtekarlığıdır. Siteyi klonladı, DNS'nin klonlanan sitenin konuşlandırıldığı IP adresini işaret etmesini sağladı ve kötü niyetli bir sözleşmeye onay istekleri ekledi.
— Lefteris Karapetsaş | @rotkiapp (@LefterisJP) için işe alım Ağustos 9, 2022
Other participants in the DeFi space quickly took to Twitter to spread the warning to their own followers, with some noting that the alleged thief appears to have stolen more than $573,000 USD.
Alert to all @Filmdenkare users, their frontend has been compromised!
Do not interact with it until further notice!
It appears around $570k stolen so far #def #kripto $ crv
— Assure DeFi (@AssureDefi) Ağustos 9, 2022
Temmuz ayında, analysts suggested that they were favorably eyeing Curve Finance, despite the market downturn which continues to affect the larger DeFi space. Among the reasons cited by researchers at Delphi Digital for their bullishness, they specifically called out the platform’s yield opportunities, the demand for Curve DAO Token (CRV) deposits, and the protocol’s revenue generation from stablecoin liquidity.
This followed the platform’s release of a new “algorithm for exchanging volatile assets” in June, which promised to allow low-slippage swaps between “volatile” assets. These pools use a combination of internal oracles relying on Exponential Moving Averages (EMAs) and a bonding curve model, previously deployed by popular automated market makers such as Uniswap.
Update: Added announcement from Curve Finance that the issue has been resolved, pointing to its nameserver as the likely culprit for the exploit.
Source: https://cointelegraph.com/news/breaking-curve-finance-team-warns-users-to-avoid-using-site-until-further-notice