In the past two days two well known decentralised‑finance projects, Curve Finance and ZKsync, fell victim to attacks that bypassed smart‑contract code and instead exploited the legacy infrastructure on which every crypto service still relies. Neither incident revealed a flaw in cryptography; both exposed the fragility of Web2 gateways such as social‑media accounts and domain‑name registrars.
A tale of two breaches
During the small hours of 13 May, the verified X accounts of ZKsync, an Ethereum Layer‑2 network, and of its developer, Matter Labs, were seized by hackers. The intruders published a thread claiming, falsely, that the US Securities and Exchange Commission had opened an investigation and that the Treasury Department was preparing sanctions. A counterfeit “air‑drop” link invited users to sign away wallet credentials. Matter Labs’ head of communications, Lynnette Nolan, later said the compromise probably stemmed from “delegated accounts” with posting rights but no administrative control, exactly the access marketing agencies often hold.
Although no on‑chain thefts have been confirmed, the rumour briefly pushed the ZK token down by roughly five per cent to US\$0.07 before recovering. The episode follows an August 2024 Discord takeover that hit ZKsync alongside several other projects, underlining how repeated Web2 failures can erode investor confidence even when protocol code remains sound.
Curve Finance’s ordeal began the previous evening. At about 21:30 UTC on 12 May its primary domain, curve.fi, was silently redirected to a spoofed front‑end running malicious JavaScript designed to drain wallets once users approved transactions. On‑chain security firm Blockaid spotted the aberrant traffic and warned traders to stay away, describing the incident as a probable “front‑end attack”. Curve’s engineers traced the problem to the registrar, iwantmyname, and asked for the DNS records to be frozen. The registrar complied only the following day, a delay Curve publicly criticised given the platform’s US\$3 billion in total value locked.
No confirmed user losses have been reported, but the scare drew inevitable comparisons with a 2022 DNS hijack that siphoned roughly US\$570,000 before being contained. The timing added insult: on 5 May, Curve’s own X account had already been hacked and used to push phishing links to followers, an incident that caused no direct losses but highlighted a widening pattern of social‑media breaches across the sector.
Web2: the unresolved single point of failure
Taken together, the attacks show how decentralised finance continues to depend on centralised choke‑points. Control of a project’s DNS records still rests with a registrar; control of its public voice rests with a platform such as X or Discord. Those attack surfaces have become hotspots: Tron DAO’s official X feed was hijacked earlier this month, costing victims an estimated US\$45,000, while the account of UK minister Lucy Powell was commandeered in April to promote a spurious “House of Commons” coin.
For developers, the episode revives uncomfortable questions about operational security. Multi‑signature treasury wallets and bug‑bounty programmes protect smart contracts, yet delegated social‑media access often goes unmonitored and DNS changes can slip through without multi‑factor authentication. For regulators, the false SEC headline attached to the ZKsync hoax may provide new ammunition: if a fake tweet can move a token price in minutes, the real agency could argue that stricter disclosure and custody rules are warranted.
Market impact
Market moves were mercifully contained. ZK traded down eight per cent over the 24‑hour window, a modest swing by crypto standards. Curve’s native CRV token fell about seven per cent but avoided the disorderly dump witnessed during the 2022 hijack.
Even so, insurers and venture funds are likely to raise premiums and widen due‑diligence questionnaires. A partner at one London‑based digital‑asset insurer said the firm now demands evidence of registrar‑lock functions and off‑platform password managers before underwriting any policy, measures that would have reduced both incidents to harmless redirections.
Industry response
Curve says it will move critical DNS records behind registry‑level locks and explore decentralised mirrors via the Ethereum Name Service to reduce reliance on a single registrar. Matter Labs has initiated an audit of every third‑party tool with delegated X permissions and promised quarterly penetration tests focused on social‑media security. Both companies have revived discussions around OpenZeppelin’s proposal for signing‑service whitelists at the contract layer, which would reject transactions initiated from unrecognised domains, a technical fix that could raise the bar for wallet drainers.
Practical guidance for users
- Curve Finance: avoid the curve.fi domain until the project issues an all‑clear; use curve.finance and consider revoking any approvals granted on 12–13 May via tools such as Revoke.cash.
- ZKsync: disregard any air‑drop links distributed on 13 May and verify announcements through the project’s GitHub or website rather than through reposted social‑media threads.
- General hygiene: enable hardware‑wallet confirmation, keep two‑factor authentication on all social accounts and scrutinise URLs before connecting a wallet. No protocol, however decentralised, can protect a user who signs blind.
Outlook
The past 48 hours demonstrate that as DeFi scales, reputational risk shifts from code security to interface security. Until registrars, cloud hosts and social‑media firms adopt safeguards commensurate with the value at stake, the sector will remain vulnerable to low‑tech intrusions that masquerade as system failures. For now the damage has been limited; next time the bill may arrive on‑chain.