Curve Finance, DeFi’s second-largest decentralized exchange with $6B in total value locked, has been hit by a frontend exploit.
As of 530pm ET, the issue has been resolved, according to the Curve team.
The Fixed Float exchange says it has frozen 112 ETH ($190,000) of the stolen funds.
Name Server Exploit
The protocol had earlier asked users not to interact with its website as the team investigates.
The exploit was flagged by Paradigm security researcher samczsun. The fake website directs users to approve a malicious contract, which is then able to drain assets from users’ wallets.
Blockchain sleuth zachxbt noted that around $570,000 worth of assets had been stolen as of 4:30pm ET, and that the pilfered funds are being sent to Fixed Float, a crypto exchange that uses Bitcoin’s Lightning network, according to its website.