DNS Hijacking in DeFi - Crypto Gloss

Definition:

DNS hijacking in DeFi is a front-end attack in which an attacker gains control of a legitimate protocol’s DNS records and redirects traffic to a malicious copy of the site that serves wallet-draining code. Users who navigate to the genuine domain (e.g., curve.fi or balancer.fi) are transparently served a fake frontend. To the browser, the site appears legitimate — correct domain, valid SSL certificate in some cases — but any interaction triggers malicious smart contract calls. The underlying smart contracts are not compromised; it is the human-facing interface that is weaponized.

How DNS Hijacking Works

DNS basics: When you type curve.fi, your browser queries a DNS resolver that returns an IP address pointing to the web server hosting the site. The domain registrar and DNS provider (e.g., Namecheap, Cloudflare, Route53) maintain these records.

Attack path:

Attacker compromises the domain registrar account for the protocol (credential theft, SIM swap, or API key theft from an infrastructure provider).
Attacker changes DNS A records to point to an attacker-controlled server.
Attacker serves a near-perfect copy of the DeFi frontend.
Users visit the legitimate URL and are served malicious code without any visual indication.
Any wallet interaction (approve, swap, add liquidity) is rerouted to drain the user’s wallet.

Notable Incidents

Curve Finance (August 2022)

Curve’s frontend (curve.fi) was compromised via a DNS hijack of the namescape.com registrar — an obscure provider that Curve’s DNS was hosted through. The malicious site prompted users to approve a malicious contract. Approximately $575K was drained before the team regained control and warned users. Smart contracts were unaffected; only users who interacted with the frontend during the ~6-hour window were affected.

Balancer (September 2023)

Balancer warned users that their frontend had been compromised via a DNS hijack targeting their domain registrar. Users were advised not to interact with the site. The team estimate ~$238K was drained. This incident occurred within weeks of Balancer also suffering a smart contract vulnerability — an unusually difficult period for the protocol.

KyberSwap (2022)

A Google Ads-based DNS spoofing attack directed users searching for “KyberSwap” to a malicious look-alike site. Not a full DNS hijack but achieved similar results via search engine manipulation of user traffic.

Why It’s Particularly Dangerous

Trust exploitation: Users see the correct URL in their browser and assume the site is safe.
SSL certificates: Attackers can sometimes obtain valid SSL certificates for subdomains or use the legitimate certificate during the window of control.
No on-chain footprint: Unlike smart contract exploits, DNS attacks leave no trace on-chain until drain transactions occur.
Broad impact window: Every user who visits during the attack period is at risk simultaneously.
Security tools miss it: Hardware wallets and browser extensions often cannot differentiate between a legitimate frontend and a maliciously served copy.

Defense

For protocols:

Registrar account security: Use registrars with hardware 2FA (FIDO/YubiKey) requirements. Avoid obscure or less-secure registrars.
Registry lock: Many top-level domain registries offer “registry lock” services that require out-of-band verification before any DNS changes can be made.
DNSSEC: DNS Security Extensions cryptographically sign DNS records, making unauthorized changes detectable.
Monitoring: Use services that alert on DNS record changes within minutes.
Subresource Integrity: SRI hashes on externally loaded assets can limit what a hijacked server can inject.

For users:

Hardware wallet confirmation: Always review transaction details on the hardware wallet screen, not just the browser. A malicious frontend can display a fake transaction in the browser while the hardware wallet shows the real malicious call.
Bookmark protocols: Navigate to DeFi frontends from bookmarks, not search results or social media links.
Follow protocol social media: DNS attack warnings are typically posted immediately on Twitter/X.
Check transaction destinations: Before confirming any approval or swap, verify the contract address being called in your wallet.

Related Terms

Sources

Rekt.news — Curve DNS Hijack — Post-mortem of the August 2022 Curve Finance frontend attack.
Balancer — September 2023 DNS Incident — Official Balancer communication on their DNS attack.
Cloudflare — What Is DNS Hijacking? — Technical overview of DNS hijacking techniques and defenses.
IETF — DNSSEC Overview — Technical specification for DNS Security Extensions.

Last updated: 2026-04