Back to all stories
Reports
Incident Analysis
Curve Finance Hack Incident Analysis
8/10/2022
Curve Finance Hack Incident Analysis

TL;DR

At approximately 4:20 PM EST Aug. 09 2022, Curve Finance(http://curve.fi )'s DNS record was compromised and pointed to a cloned malicious site. The attacker injected malicious code into that site that asked users to give token approvals to an unverified contract. In total, 7 users were affected by the exploit culminating in ~$612k losses.

Summary

At approximately 4:20 PM EST Aug. 09 2022, Curve Finance(http://curve.fi )'s DNS record was compromised and pointed to a malicious site which was an exact copy of the legitimate webpage. However, on this cloned copy the attacker had injected malicious code that asks users to give token approvals to an unverified contract. If the user approved that transaction, the funds from the users-now-victims were then directed by the attacker using this malicious contract to the hackers address. Since the contract is unverified, we cannot confirm the exact functions of it at this time. Overall, $612,724.16 in USDC and DAI were stolen by the hacker, who then swapped the funds for ETH. The attack then sends ETH to the following locations:

FixedFloat: 292 ETH

Tornado Cash: 27.7 ETH

Binance: 20 ETH

EOA 0xcdd: 23 ETH

Onchain Analysis

This attack bares similarities with the Premint exploit that occurred on 17 July where malicious code was injected into the frontend of Premint’s website in order to scam users to set approval for all transactions. What’s different here is that the hacker deployed a malicious contract that when interacted with would redirect funds to the hackers wallet. Here is an example: OCA1

The victim wallet interacts with the exploiters contract and calls an unknown function (due to the contract not being verified) that transfers the victims funds straight to the hackers wallet. The malicious DNS would ask the user to approve all transactions for the malicious contract
OCA2

Once the hacker had accumulated ~ 612k worth of stablecoins they are then exchanged for ~362 ETH. OCA3

Traditionally with exploits like this we’d almost certainly see the majority of the stolen funds being deposited into Tornado Cash. But the recent sanctioning of Tornado Cash from OFAC likely concerned the hacker enough to send the majority of the stolen funds to FixedFloat, a centralized exchange.

FixedFloat tweeted that they froze 112 ETH of the stolen funds, however a total of 270 ETH was sent to the exchange. Here is one example of such transaction: OCA4

Whats also interesting to note is that this wasn’t a wallet drainer attack. When we look into one of the victims wallets, we see movement of funds that are unaffected by the attack. Here’s an example: OCA5

As we can see, the wallet continues to hold funds and even sent ~$240k to a smart contract, which then transferred the funds to Kraken 10. It is therefore likely that the attack only affected attempted transaction on Curve Finance.

Web2 Vulnerabilities in Web3

This exploit is another example of how a Web2 vulnerability can seriously affect users in Web3. Be it Discord hacks, Twitter compromises or website exploits, Web2 infrastructure often holds a single point of failure leading to devastating losses. Due to these centralized issues, it is perhaps on the easiest ways to exploit Web3. Unfortunately this means that we can expect to see these types of attacks to continue going into the future.

This exploit is another example of how damaging Web2 vulnerabilities can be in the Web3 space. The hacker compromised Curve Finance DNS which pointed users to a site with malicious code. This is similar to the Premint hack where the exploited injected malicious code to get users to sign a SetApprovalForAll() function which effectively transferred users NFTs to the exploits wallet.

Malicious Curve.fi IP: OCA6

Correct Curve.fi IP: OCA7

Profit and Assets Tracing

Using SkyTace, we can see that there are 7 unique victims in this attack. Once the funds entered the hackers wallet, they were swapped for ETH and then sent onwards FixedFloat and Binance with an additional 27 ETH being sent to Tornado Cash. PaAT

Conclusion

In future exploits, we are now more likely to see exploited funds moving to centralized exchanges over Tornado Cash due to the recent sanctioning of the mixer protocol. This is perhaps the first major exploit where the majority of the stolen funds were sent to centralized exchanges first and then Tornado Cash as a back up. Due to this, the rapid reporting of exploits and hacks is of vital importance to enable centralized exchanges to freeze hackers funds.

By following CertiKAlert on Twitter, you’ll be the first to be alerted on exploits, hacks and exit scams as they happen. Follow CertiKAlert to be notified first and help us spread the word on exploits where we can together help secure Web3.