One of the Most Trusted Protocols in DeFi Falls Victim to an Exploit

As we all continue our crypto journey, trying to escape exploits can be a cumbersome process. Exploits can take so many different forms, and it seems that even our most trusted protocols are falling victim each week. This week, one of the largest DeFi protocols fell victim to an exploit resulting in $570k of users’ funds stolen. Fortunately, the Curve Finance team sounded the alarm bells quickly and the damage was contained, but it should still act as an example that nothing in DeFi is 100% safe. Let’s look at some of the details of the exploit and the events that transpired.

Details of the Exploit

This exploit had nothing to do with the smart contracts of the protocol, but instead Curve fell victim to a DNS hijacking. The hacker was able to hijack the front end of the website to then direct users to approve a malicious smart contract. To the end user, when they loaded the curve.fi site as they normally would, nothing looked different. Only when users went to make a swap were they directed to approve a smart contract that would drain the digital assets from their wallet. This resulted in 340 ETH ($575k) of stolen funds. After the exploiter received these funds, they deposited 292 ETH into FixedFloat with of 112 the ETH being frozen. The remaining ETH was sent to Binance and the infamous Tornado Cash.

Actions Taken During and After the Exploit

The Curve Finance and greater DeFi community were quick to notice the DNS hijacking which was instrumental in reducing the total amount of funds exploited. The Curve Finance twitter account posted alerting users to not use the traditional cruve.fi site until their internal investigation was complete. Additionally, Curve was able to identify the malicious smart contract that was being approved and gave instructions to revoke it using revoke.cash if users had approved the contract. If you were quick to act, even if you approved this malicious smart contract there was an opportunity to save your funds by revoking the contract as soon as possible.

What Does This Mean Moving Forward

What this exploit shows us is that nothing is completely safe to use in DeFi. Curve Finance had a long history of operating without an exploit and has been audited by some of the best auditors in the space. Although audits don’t necessarily look for issues in hosting, what this exploit tells us is that protocols need to remove their reliance on Web2 DNS providers. These centralized entities are out of the DeFi protocols control and provide just another vector that an exploit can occur. Moving forward, this potential fault can be eliminated by using Web3 solutions like IPFS and ENS to host their dapps. With this latest exploit and the recent sanctioning of Tornado Cash and subsequent blacklisting of USDC, it is more apparent than ever that crypto needs to practice what they preach and provide truly decentralized solutions to these problems.

What is Revoke.Cash?

Revoke.cash is a tool that allows users to revoke approvals on smart contracts. If you previously gave a contract approval to use one of your digital assets, you can use revoke cash to later remove this approval.

What is DNS?

DNS stands for Domain Name System. You can think of it like the phonebook of the internet, whereby humans access information online through domain names allowing us to use our favorite websites.

What is Curve Finance?

Curve Finance is a decentralized exchange (DEX) that specializes in like-asset swaps, most notably stablecoins.