Curve Finance exploit: Experts dissect what went wrong

Attackers that hijacked Curve Finance’s landing page moved quickly to convert stolen funds to various tokens through different exchanges, wallets and mixers.

Decentralized finance (DeFi) protocols continue to be targeted by hackers, with Curve Finance becoming the latest platform to be compromised after a DNS hijacking incident.

The automated market maker warned users not to use the front end of its website on Aug. 9 after the incident was flagged online by a number of members of the wider cryptocurrency community.

While the exact attack mechanism is still under investigation, the consensus is that attackers managed to clone the Curve Finance website and rerouted the DNS server to the fake page. Users that attempted to make use of the platform then had their funds drained to a pool operated by the attackers.

Curve Finance managed to remedy the situation timeously but attackers still managed to siphon what was originally estimated to be $537,000 worth of USD Coin (USDC) in the time it took to revert the hijacked domain. The platform believes its DNS server provider Iwantmyname was hacked which allowed the subsequent events to unfold.

Cointelegraph reached out to blockchain analytics firm Elliptic to dissect how attackers managed to dupe unsuspecting Curve users. The team confirmed that a hacker had compromised Curve’s DNS, which led to malicious transactions being signed.

Related: Cross chains, beware: deBridge flags attempted phishing attack, suspects Lazarus Group

Elliptic estimates that 605,000 USDC and 6,500 DAI were stolen before Curve found and reverted the vulnerability. Utilizing their blockchain analytics tools, Elliptic then traced the stolen funds to a number of different exchanges, wallets and mixers.

The stolen funds were immediately converted to Ether (ETH) to avoid a potential USDC freeze, amounting to 363 ETH worth $615,000.

Interestingly, 27.7 ETH was laundered through the now OFAC sanctioned Tornado Cash. 292 ETH was sent into the FixedFloat exchange and coin swap service. The platform managed to freeze 112 ETH and confirmed the movement of funds according to an Elliptic spokesperson:

“We have been in contact with the exchange, which confirmed a further three addresses that the hacker withdrew funds into from the exchange (these were completed orders that FixedFloat were not able to freeze in time). These include 1 BTC address, 1 BSC Address and 1 LTC address.”

Elliptic is now monitoring these flagged addresses in addition to the original Ethereum-based addresses. A further 20 ETH was sent to a Binance hot wallet, and another 23 ETH was moved to an unknown exchange hot wallet.

Elliptic also cautioned the wider ecosystem of further incidents of this nature after identifying a listing on a darknet forum claiming to sell ‘fake landing pages’ for hackers of compromised websites.

It is unclear whether this listing, which was discovered just a day before the Curve Finance DNS hijacking incident, was directly related but Elliptic noted it highlights the methodologies used in these types of hacks.