defirisk.co
rubric v1.7.0

DNS/CDN/frontend hash drift

crvUSD (Curve Stablecoin)'s assessment for RD-F-105 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

DNS/CDN/frontend hash drift signal. Threshold: hash of {DNS A/AAAA, TLS cert, HTML DOM root, JS bundle hashes} differs from last-known-good baseline AND no matching change-management allowlist entry. FIRES: On May 12, 2025, the curve.fi domain was hijacked via DNS attack at the registrar level (iwantmyname compromise). Attackers redirected curve.fi traffic to a malicious website. Curve Finance migrated to curve.finance as primary domain. Curve has a prior history: August 2022 DNS attack on curve.fi ($570K losses). As of 2026-05-16: (1) curve.fi domain is in a transitional/deprecated state with ambiguous DNS ownership post-hijack; (2) no public change-management allowlist for the new curve.finance JS bundle hash baseline has been established; (3) the May 2025 attack was unscheduled (no allowlist entry suppressed it); (4) Curve Finance also suffered an X account breach in early May 2025 immediately preceding the DNS hijack — multi-vector attack pattern. Signal WOULD fire in a live monito

Sources #

  • URL
    The Block Curve Finance DNS attack 2025The Block: Curve Finance front-end targeted in DNS attack May 2025 — confirms registrar-level compromise, no contract damage, curve.fi deprecatedretrieved 2026-05-16
  • URL
    Decrypt Curve 2022 DNS attackDecrypt 2022: Curve strongly suggests domain migration to ENS after $570K frontend hack — first DNS attack instanceretrieved 2026-05-16
  • URL
    CryptoSlate Curve domain migration 2025CryptoSlate: Curve Finance moves to new domain after DNS attack — confirms curve.finance as new active domainretrieved 2026-05-16
  • URL
    Curve Domain Incident official postCurve Domain Incident post — May 12 2025 DNS hijack at iwantmyname registrar level; curve.fi redirected to malicious site; migration to curve.financeretrieved 2026-05-16

Methodology #

Detect whether the hash of production frontend JS changes versus the prior published hash, or a DNS config change is detected.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol crvusd factor RD-F-105 score red collected_at 2026-05-16 19:09:40