August 10, 2022: Curve Frontend Hacked 🕵️💸
$570K Drained in DNS Exploit
Rough news for the Flywheel. The Curve.fi DNS got hijacked, leading to ~$570K in funds stolen. The attacked exploited the DNS to serve a spoofed version of the Curve site, with an injection that requested approval to a malicious contract used to drain funds.
It’s a particularly demoralizing turn of events, as Curve had previously sported a nearly spotless history of safety and avoiding hacks.
The good news is that the actual Web3 infrastructure, ie the smart contracts which constitute the underlying Curve architecture, remain unblemished. All funds in Curve are safe. The users who suffered are those who interacted with the website during the brief window it was compromised.
The chink in the armor here is the DNS, a piece of Web2 infrastructure that’s been the vector of attack in previous attacks targeting Convex and Badger.
For the less technical audience — most webpages are not directly accessible at the friendly “curve.fi” domain names we regularly type into our browser. Webpages are in fact served from an IP address, an ugly sequence of numbers like 127.0.0.1 — in fact, most sites will work just fine if you type their IP address directly into your browser.
Since most humans are bad with numbers, DNS exists as a generally helpful middleman to point user-friendly domain names to the IP address which will serve the website when called.
The architecture of DNS has been around for a while, but works using a fairly complex recursive process, ideal for the early days of the internet pushing and caching this information globally had to adapt to slow bandwidth speeds.
A particular nuisance of DNS infrastructure is that propagation is notably slow. Once the root DNS is set, it can take time to cascade throughout the planet to various other forwarders. In other words, even though the problem may be discovered and solved quickly, users may remain at risk for several hours.
The problem for Web3 services is that if you want a webpage, which most users demand, you can’t avoid certain clunky pieces of Web2 infrastructure such as domain registrars and DNS servers. Knowing that smart contracts may secure billions of dollars in funds, the Web3 infrastructure is quite resilient. Web2 services are far less so.
DNS services are not big cash cows, so they can’t invest as much in security and end up being a bit easier to hack. In some cases DNS servers can be exploited by simply calling up customer service and persuading the agent you are the true owner the website. In other words, the security of billions of dollars in funds is at at the mercy of a phone agent possibly earning at or below minimum wage.
It’s not the sort of infrastructure that can withstand the high stakes and increasingly sophisticated exploits common to Web3, and it calls out for a solution. A solution at some point is likely to come from a combination of IPFS and ENS domains — Curve indeed has a safe and immutable version that is hosted on IPFS.
However IPFS / ENS architecture are not fully supported by all browsers. Until this is broadly solved, the public remains reliant on faulty Web2 infrastructure. For instance, if you want to access an IPFS site through DNS, you might have previously bookmarked curve.eth.link. However the “eth.link” portion is itself a Web2 service, which redirects domains to the appropriate IPFS site. However eth.link being a Web2 service, it’s faulty in and of itself… we just can’t win…
So as long as the Web3 infrastructure is not robust and users need Web2 access, the industry at a whole is at risk.
In this case, for more details about what exactly happened with this specific compromise, we’ll need to await a post-mortem by the name server @iwantmyname
The good news is that the community stepped up very quickly with regard to this specific incident. The issue was flagged publicly by @_bout3fiddy_, who boasts one of the strongest alfa-to-followers ratio on Twitter.
The news spread like wildfire across Twitter, briefly tanking $CRV price amidst the confusion.
Users who approved the malicious contract through the duration saw their funds drained. All told about $570K in funds, which were quickly converted into ETH.
The funds were sent to @FixedFloat, which for its part quickly froze the funds
Within an hour the DNS issue had been fixed, but due to the nature of DNS it took several hours to propagate, during which time users were advised to use Curve’s newer frontend if needed, which was unaffected by the hack.
A big thanks to the community who stepped up to spread the message of the exploit quickly. Hopefully this quick spread of info prevented more attacks.
In tweets since deleted, possibly for legal reasons, one white-hack hacker described their efforts to DDOS curve.fi throughout the proceedings, so users couldn’t accidentally load the site until the issue was fixed. You know who you are ser, and we thank you for your efforts!
Other winners from the affair include @hexagate_ who identified the security risk pre-transaction.
How can you as a user stay safe? It may be unusual practice, but you may want to check social media before executing a transaction to see if there are users commenting on a hack. It may not help if you’re the first to get hit though.
It’s always useful to revoke approvals to unnecessary contracts, for which several sites can help you. Although a good practice, it wouldn’t have helped in this case.
The best solution is to teach yourself to be less reliant on the frontend. Users interacting entirely through backend calls have far more tools at their disposal to verify contract transactions ahead of time.
Even if wish to rely on the frontend, you can teach yourself a few backend tricks to improve your safety, as we outlined here:
Another such guide is offered by the DeFi Safety team, who deserve credit for raising noise on the subject. As far back as December 2021, @BowTiedIguana has been recommending some entrepreneur construct monitoring solutions to quicker alert protocols to DNS problems. Money on the table…
We’re relieved the hack wasn’t worse and was resolved quickly, but it remains a rough day for flywheelers. Stay safe frens!
Wow