Curve Finance Hack - How Web 2.0 impacts Web 3.0

Curve Finance Hack - How Web 2.0 impacts Web 3.0
Photo by Alexander Grey / Unsplash

Another day, another DeFi protocol hacked. This one however, is a little different. In our previous posts, we have looked at Decentralized projects getting hacked because of leaked/stolen wallet keys and weak or vulnerable protocols. However, now we'll be taking a look at how issues with Web 2.0 protocols or services can affect Web 3.0 projects. Case in point, the Curve Finance hack which took place on the 9th of August, 2022. The attackers carried out a DNS Poisoning Attack.

What is Curve Finance?

Curve Finance is an AMM(Automated Market Maker) exchange that started out in 2020 with a goal to encourage investors, by moving away from the volatility of the market and focusing on stability.

What is Domain Name System (DNS)

Before we get into the attack, let's briefly go over what DNS is. DNS is a system which is used to map domain names to IP addresses. When you open a browser tab and type in 'www.example.com' into the address bar, your system initiates a DNS request to a DNS server to query the IP address for the domain. Once the DNS server responds, only then can your browser send a request to the IP address of the web server. DNS records also hold other information like mail servers, name servers etc.

DNS servers are distributed all over the world. The Root DNS servers are maintained by organizations like ICANN, NASA, Verisign, etc. while secondary DNS servers are maintained by Governments, ISPs and private organizations including Google, CloudFlare etc.

DNS Cache Poisoning - How the attack took place

The primary domain for the decentralized exchange, curve.fi, fell prey to a DNS hijacking attack. The attackers created a fake domain which mimicked the actual curve exchange website. Then the attackers somehow got control over a DNS server and modified the DNS entries for the Curve Finance domain to point towards the IP address of the malicious fake domain they had created. So, for the duration of the attack, whenever a user would try to access the curve.fi domain, they would be redirected towards the fake website. These users were tricked into approving the transfer of funds into a malicious smart contract.

As a result, the attackers were able to steal $575K worth of users' funds from the Curve exchange.

What can be done?

In such attacks, the victims seldom have any indication that something is amiss. The reason is that users trust DNS by default, and this trust is exactly what's exploited here. There's not much that can be done by users here. The responsibility of handling such attacks lies with the DNS providers. Therefore, it is up to web3.0 devs to make sure they do not try to cut costs here and only go with reputable DNS providers in the marketplace.

These attacks also serve to remind us, that even with the advent of Web 3.0 and blockchain technology, a truly decentralized system is a long way ahead.

Front-end technologies still rely upon traditional systems and services and it is imperative that we consider the security of these as well.

Worried about attackers targeting your smart contracts? Contact DeTaSECURE for your smart contract audits.