Curve Finance, a major decentralized finance (DeFi) protocol, suffered a DNS hijacking attack beginning around 21:30 UTC on May 12, 2025. Attackers manipulated the domain name system (DNS) records for Curve's website, redirecting users to a fraudulent site that mimicked the legitimate interface and contained malicious JavaScript wallet drainer code. The malicious dApp was hosted via Cloudflare infrastructure. The attack was strictly limited to the DNS layer and did not compromise Curve's core smart contracts or blockchain infrastructure. The project has confirmed that user funds and smart contracts remain secure. However, users were warned not to interact with the Curve website or sign any transactions until the issue was resolved, as the malicious site could prompt users to approve token transfers to attackers. Users were also advised to revoke any suspicious approvals. The incident also affected Convex Finance, which relies on data from Curve, rendering much of Convex's website non-functional, though Convex's own site remained safe. At the time of the attack, Curve's total value locked (TVL) was reported at $3 billion. During the incident, the DNS briefly resolved to Vercel (legitimate), but attackers regained control and redirected it back to the malicious Cloudflare-hosted site. The domain registrar involved was iwantmyname. Curve Finance experienced a similar DNS hijack in 2022, resulting in $570,000 in losses, and another exploit in 2023 involving Vyper programming vulnerabilities with estimated losses of $24 million. The security team has isolated the current issue, initiated an investigation, and is working with its domain registrar and partners to restore normal operations.