VERDICT —OUT OF SCOPE
Root cause is phishing — victims signed malicious transactions or approvals off-protocol. Contract logic was not the failure surface; user-side wallet hygiene was. Pre-deployment audit cannot catch this class.
▰ METHOD
PHISHING
PHISHING
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
Recently, a user suffered a phishing attack while visiting the Curve exchange website, and lost 20 Bitcoins. It is reported that the fraud group used the Google advertising system to purchase Google search ads, pretending to be the Curve exchange for fraudulent advertising. Due to google’s new advertising program, ads are usually displayed in the first place in search, which has caused many users to be deceived. Attack method (per SlowMist): Phishing attack. Reported loss: 20 BTC.
Primary source
https://www.btcfans.com/en-us/flash/id-30048 ↗Sourced from
slowmist
Technical record
- chain
- —
- protocol
- Curve Finance
- bug_class
- phishing
- date_occurred
- 2020-10-11
- loss_usd
- —
- source_id
- sm:curve-finance::2020-10-11
Related — same bug class· phishing