Curve Finance (curve.fi frontend): DNS nameserver compromise → malicious frontend injection → approval harvesting
Curve Finance's battle-tested smart contracts were untouched while $575K was stolen by hijacking its DNS nameserver and serving a cloned site that harvested token approvals.
Summary #
Curve Finance (curve.fi frontend) suffered a DEX / Stablecoin AMM on 2022-08-09, resulting in a loss of approximately $575K.
What happened #
Curve Finance's battle-tested smart contracts were untouched while $575K was stolen by hijacking its DNS nameserver and serving a cloned site that harvested token approvals.
Linked factors #
- RD-F-001 — related : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: N/A — no smart contract exploited]
- RD-F-077 — related : Auto-linked by C.4 triage 2026-05-07
- RD-F-081 — related : Auto-linked by C.4 triage 2026-05-07
- RD-F-096 — illustrative : New ERC-20 approval to unverified contract [via realtime_signals/Pre-exploit on-chain signals: Malicious approvals being granted to unverified contract; approval to `0x9eb5f8e...` by multiple wallets in quick succession]