A Note on Curve Finance and Preventing DNS Attacks

2022-08-30

On August 9, a group of attackers exploited a vulnerability in Curve Finance, stealing $570,000 in Ethereum (ETH) from user wallets.Ā 

Using a fake lookalike copy of Curve Financeā€™s homepage, curve.fi, criminals harvested information such as usernames, passwords, and wallet addresses. Fortunately, the Binance investigations team recovered some 85% of the stolen funds and is now working with law enforcement to return the money to their rightful owners.

In this article, we provide an overview of the exploit and what project teams can learn from this incident.Ā 

What is a DNS Server?

To understand this attack, youā€™ll first need to know how a DNS server works. DNS, short for domain name system, is one of the fundamental tools allowing people to browse the internet effortlessly.

Whenever someone types a domain, such as ā€œwww.binance.com,ā€ their device sends a query to a DNS server asking for the IP address. Typically, this query will go through multiple DNS servers until it finds the corresponding address.

In layman's terms, one can think of the internet as a massive, intricate highway system, with each road leading to a different website. On these roads, DNS servers function as traffic officers that guide cars in the right direction.

Navigating the internet without DNS servers would be like driving in a foreign country with no maps, GPS, or street signs ā€” everyone would end up at the wrong destination.

The Curve Finance Breach

DNS servers are built on trust. We trust the system will bring us to the right website. We enter sensitive information on these websites, such as bank accounts or personal details.Ā 

What happens if someone compromises one of the servers for malicious purposes? In the case of the Curve Finance attack, hackers created a 1:1 copy of Curveā€™s real DNS server and redirected users to a rogue website that looked exactly like the projectā€™s homepage.Ā 

The method they used is called DNS cache poisoning, and itā€™s designed to exploit peopleā€™s trust in DNS servers. Because the user entered a legitimate URL, they have little reason to suspect the website is stealing their credentials. Now, imagine this on a larger scale: a poisoned DNS server redirecting hundreds of thousands of users to multiple harmful websites.Ā 

How to Stay Safe Amid DNS Cache Poisoning?

Avoiding a compromised DNS server will always be more straightforward than cleaning up the damage afterward. Hereā€™s what regular users can do to safeguard their funds:

  • Donā€™t click on suspicious links.

  • Clear your DNS cache periodically.

  • Regularly scan for harmful programs on your device.

There are limits, however, to what everyday folks can do to protect themselves in this situation. Compromised DNS servers will often redirect users to an identical homepage that is near-impossible to discern from the page they intended to view.Ā 

The onus of responsibility lies on the crypto companies providing their services to millions of users globally. Projects should ensure they use a secure, reputable domain management vendor. Do not try to cut costs with a low-end DNS provider. A reliable vendor, such as MarkMonitor or Cloudflare, should support custom protocols that prevent hackers from altering domain name settings.

Protect Your Users

Attacks like this are a harsh reality in an emerging industry like crypto. The damage couldā€™ve been irrevocable ā€” potentially millions in user funds ā€” if Curveā€™s breach went undetected for even another day. For crypto to grow sustainably, our industry must prioritize building a secure ecosystem first. We hope other projects can learn from the information in this article and focus on the right thing ā€” protecting their users.Ā