Exchange liquidity protocol Curve Finance has been targeted by hackers who took away about $570,000 a year protocol wallet screenshot shared on Twitter on August 9.
“We are aware of a potential front-end issue of approving the wrong contract. At this time, please do not perform any approvals or trades. We are trying to locate the issue, but at this time, for your security, do not use curve.fi or curve.exchange,” the Telegram announcement read.
During the initial investigation, the team revealed that the attack was suspected to be a breach in the system @jeveuxmonnom instead of the registrar level. “The contract that needs to be revoked is: 0x9eb5f8e83359bb5013f3d8eee60bdce5654e8881 If you approved it, please revoke it immediately at https://revoke.cash,” he added.
The team behind the project also developed the following theory from Lefteris Karapetsas, founder of Rotkia App, about the attack affecting their domain name system. [DNS],
“It’s DNS spoofing. Cloned the site, points the DNS to their IP address where the cloned site is deployed, and added approval requests to a malicious contract.
From the details above, the hacker likely manipulated the domain name system entry for the protocol, redirecting users to a fake clone and endorsing a malicious contract. However, the program’s contract was unaffected by the assault.
Curve Finance’s native token is down 8%
Curve Finance is a popular automated market maker [AMM] which offers an efficient way to trade tokens while keeping fees low and slippage low by only accommodating liquidity pools comprised of similarly behaving assets.
Following the incident, the CRV token registered an 8% decline but showed a marginal recovery of 5%.
Immediately after the announcement, decentralized finance [DeFi] The protocol’s operators said via Telegram that they had found the root cause of the problem and fixed it.
“If you have approved any contracts on Curve in the past few hours, please revoke them immediately,” they continued. The protocol also advised users to use curve.exchange until curve.fi propagation returns to normal.
“Updates should have propagated for http://curve.fi everywhere now, which means it should be safe to use.