Curve Finance, one of the leading decentralized finance (DeFi) platforms, has issued a fresh warning after its domain name system (DNS) was hijacked once again, redirecting users to a fake website designed to steal funds. In a May 12 alert, the Curve team warned users not to interact with the site, stating, “curve.fi DNS might be hijacked.”

The attack marks the second security incident involving Curve Finance in just one week. The team confirmed that the website currently points to an incorrect IP address, likely directing traffic to a malicious clone. While the platform’s smart contracts remain unaffected, users visiting the fake site risk having their wallets drained.

Security experts from Blockaid flagged the incident as a potential “frontend attack,” where the visual interface of a website is manipulated to deceive users. Blockaid advised users to immediately stop interacting with Curve’s decentralized app (DApp) and avoid signing any transactions.

Curve also clarified that its account credentials are secure, including two-factor authentication, and that the issue has been escalated to the domain registrar for resolution. The platform previously suffered a similar DNS rerouting attack in August 2022, which resulted in stolen funds.

Just days before this DNS attack, on May 5, Curve’s official X (formerly Twitter) account was compromised. Although no funds were lost, the incident raised concerns over repeated breaches of Curve’s online infrastructure. The team quickly regained control and confirmed the attack was limited to its social media account.

Curve’s ongoing security challenges highlight growing threats in DeFi, where user trust and robust infrastructure are critical. Users are urged to remain vigilant and avoid interacting with the protocol until an all-clear is issued.