KEY POINTS

  • The stolen funds from Curve Finance were transferred to FixedFloat, a cryptocurrency exchange
  • The issue was 'found and reverted'
  • Curve Finance said domain registration platform IWantMyName was compromised 

The front-end of decentralized finance (DeFi) protocol Curve Finance was compromised and according to an on-chain analyst, over $570,000 were stolen.

The compromise was first pointed out by Sam Sun, a Research Partner and the Head of Security at Paradigm, a crypto and Web3 investment firm, via a Twitter post at 4:25 p.m. ET Tuesday.

This was followed by Curve Finance confirming Sun's statement an hour later via a Twitter post.

According to ZachXBT, an on-chain analyst, the attackers made away with almost $570,000. He further pointed out that the funds were being directed to FixedFloat, a cryptocurrency exchange.

Curve retweeted a post from Lefteris Karapetsas, the founder of Rotkiapp - a crypto analytics platform. According to Karapetsas, the attackers cloned the Curve.fi website and "made the DNS point to their ip where the cloned site is deployed and added approval requests to a malicious contract."

Steven Ferguson, the founder of TCPShield, a DDoS protection service provider, revealed that systems at IWantMyName, a website domain registration platform, compromised themselves which resulted in the DNS spoofing of Curve.fi.

Curve Finance is one of the vital aspects of DeFi due to its CRV token, which is used to provide rewards to users and hence, is a source of income for many other decentralized protocols. Worried users were asked to use Curve.exchange until Curve.fi was being investigated.

By 5:27 p.m. ET Tuesday, the issue was "found and reverted." "If you have approved any contracts on Curve in the past few hours, please revoke immediately," a Twitter post read.

Curve's operators announced via Telegram that the problem was found and was fixed as well. The firm reached out to IWantMyName to clear things out.

"Dear IWantMyName, looks like something is compromised on your side (most likely, name servers - they seem to override what the UI tells them to serve). Please do something. For everyone else: we switched nameserver, but don't rush to use http://curve.fi - wait a bit," Curve said.

The domain registration platform has yet to give a reply on the same.

This illustration photograph  shows a physical banknote imitations of the Bitcoin crypto currency
This illustration photograph shows a physical banknote imitations of the Bitcoin crypto currency AFP / Ozan KOSE