Protocol-impersonator domain registered (typosquat)

Curve Finance's assessment for RD-F-161 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Curve Finance is a major DeFi brand ($1.72B TVL, 6+ year history, global name recognition) making it a high-value typosquat target. 90-day detection window applies (2026-01-28 to 2026-04-28). Documented impersonation history relevant to the detection window: May 2025 DNS hijack involved creation of a full replica frontend at a malicious IP pointed by hijacked curve.fi DNS — functionally equivalent to domain-level spoofing. May 2025 X account compromise. Curve migrated from curve.fi to curve.finance post-May 2025 incident; curve.fi is now a legacy domain that could be exploited as a typosquat surface if adversarially re-registered. WHOIS/domain-monitoring feed required for full 90-day typosquat registration scan — not publicly accessible without DomainTools/MarkMonitor. Risk is elevated given proven repeated attack pattern on domain infrastructure. Score yellow: elevated by documented impersonation history; specific 90-day registration count requires domain feed.

Sources #

URL
Domain exploit at Curve Finance triggers wallet drainsDomain exploit at Curve Finance May 2025 — registrar-level compromise (iwantmyname second time)retrieved 2026-04-28
URL
Curve Finance Faces Dual Security Breaches: X Account Compromised and DNS HijackCurve Finance dual security breach — DNS hijack + X account compromise May 2025retrieved 2026-04-28

Methodology #

Determine whether a typosquat of the official protocol domain has been registered in the last 90 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol curve-v2 factor RD-F-161 score yellow collected_at 2026-04-28 19:48:40