DNS/CDN/frontend hash drift
Curve Finance's assessment for RD-F-105 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
DNS/frontend signal has confirmed double-fire history on Curve. (1) August 10, 2022: curve.fi DNS hijacked via iwantmyname registrar compromise; attacker cloned frontend and deployed malicious approval contract; ~$573K drained. (2) May 12, 2025: curve.fi DNS hijacked AGAIN via same iwantmyname registrar; attacker redirected to wallet drainer; funds drained. Additionally, May 5, 2025: Curve's X account compromised (fake CRV airdrop phishing post). Curve subsequently migrated primary domain from curve.fi to curve.finance following May 2025 incident. Current posture: primary domain is now curve.finance; curve.fi migrated away. Monitoring baseline must be established on curve.finance. The signal is structurally highly applicable with confirmed historical fires. Score yellow — applicable with confirmed double-fire history; current posture (post-migration to curve.finance) requires verified monitoring on new domain baseline.
Sources #
- URLAugust 10, 2022 — Curve Frontend HackedAugust 2022 DNS hijack post-mortem (Curve Substack)retrieved 2026-04-28
- Domain exploit at Curve Finance triggers wallet drains, registrar intervenesDomain exploit at Curve Finance — registrar intervenes May 2025retrieved 2026-04-28
- Curve Finance Confirms Migration to New Domain After DNS HijackCurve Finance domain migration to curve.finance post-DNS hijackretrieved 2026-04-28
- Curve Finance Faces Dual Security Breaches: X Account Compromised and DNS HijackMay 2025 DNS hijack — Curve Finance dual security breach (X account + DNS)retrieved 2026-04-28
Methodology #
Detect whether the hash of production frontend JS changes versus the prior published hash, or a DNS config change is detected.
See the full factor methodology and distribution across all protocols →