Proposal to Recompensate Users Affected by Curve.fi DNS Hijack (veCRV holders)
Summary:
This proposal requests DAO approval to establish a verification and coordination framework for users affected by the DNS hijack that occurred on May 12, 2025. Reimbursement under this framework is discretionary and subject to DAO approval; this proposal authorizes a process, not a guaranteed outcome.
The hacking incident redirected users from the legitimate front-end to a fraudulent replica, where malicious signatures led to unauthorized asset transfers. Curve’s on-chain contracts and protocol infrastructure remained secure; the exploit was isolated to the front-end domain layer.
As part of this compensation initiative, 17 actively participating victims have come together to jointly document, verify, and present their claims. These 17 victims collectively suffered approximately USD $182,574.59* in stolen digital assets (across USDC, ETH, and other tokens).
*USD values at the time of hack on May 12, 2025; original assets were in the form of various tokens including but not limited to USDC, ETH, etc.
A redacted asset summary table is included below to demonstrate the clarity, completeness, and lack of ambiguity surrounding the claims. Personal information, such as wallet addresses and transaction hashes, has been removed and will be validated independently by the authorized third-party coordination entity during the verification process.
*Snapshot CRV price: $0.2224 (Feb 23rd, 2026)
According to Curve’s internal assessment, approximately 21 wallets were affected in total. This proposal focuses on the ~20 smaller victims, whose aggregate losses are estimated at approximately USD $300,000 (based on token prices at the time of the incident).
To ensure fairness and community inclusivity, victims who are not currently participating in the preparation of this proposal may also apply for reimbursement by submitting their claims and supporting evidence to the authorized coordination entity. Such claims will be evaluated to confirm that losses were directly caused by the May 12, 2025 DNS hijack, and will be eligible for reimbursement subject to verification.
This approach ensures that all smaller victims, both active and non-participating, have a clear, transparent pathway to compensation, while maintaining rigorous verification standards and safeguarding the integrity of the DAO’s reimbursement process.
The proposal establishes a DAO-approved verification and coordination framework to identify, validate, and reimburse verified smaller victims, ensuring transparency, accountability, and fairness for all affected participants.
Abstract:
The DAO will authorize a third-party coordination entity to execute the following operational tasks on its behalf:
Conduct KYC and wallet-ownership verification of affected users.
Collect and validate evidence of losses.
Compile a public verification report for transparency and auditability.
Coordinate reimbursement from the DAO treasury to all verified victims.
Subject to DAO approval, verified smaller victims may be compensated through this process while assigning their recovery and restitution claims to the substantial victim, enabling unified legal action and ensuring that no party receives double recovery. Swiss Stake AG is proposed as the initial coordinator, subject to DAO discussion and approval.
Motivation:
The DNS hijack on May 12, 2025 affected a small portion of Curve’s overall user base, but the losses were material for those impacted. While the protocol’s smart contracts remained secure, the front-end compromise resulted in roughly $300,000 in unrecovered losses for smaller victims who interacted in good faith with what appeared to be the legitimate Curve interface.
This framework is in the best interest of Curve DAO and its community, reinforcing trust, ensuring consistent treatment of all victims, and strengthening Curve’s long-term reputation for responsibility and user protection.
Specification:
This proposal authorizes a DAO-appointed third-party coordination entity to carry out the verification, reporting, and reimbursement coordination process for smaller victims of the May 12, 2025 DNS hijack. The coordinator’s role is strictly administrative and operational: claim intake, coordination of identity and wallet-ownership verification (directly or via specialized third-party providers such as KYC services), evidence aggregation, reporting, and logistics coordination for any DAO-approved reimbursement. The coordinator executes the approved process but does not hold discretionary authority over eligibility, compensation amounts, or DAO intent, and does not assume legal responsibility or act in any legal capacity on behalf of the DAO or victims. Third-party coordination fees shall be reasonable, aligned with market best practices, pre-defined, and disclosed to the DAO for transparency. The process is divided into three phases:
Phase 1 - Verification & Coordination
The coordinator will conduct KYC and identity checks, validate wallet ownership, and confirm that all claimed losses originated from the May 12, 2025 incident. They will collect and review transaction evidence from each applicant and aggregate all validated information into a unified registry of verified victims.
Victims are strongly encouraged to file a local police report where possible, as it may support future coordinated recovery efforts once claims are assigned. If filing a report is not feasible due to local regulations or jurisdictional limitations, victims shall provide a credible explanation and, where available, a public reference indicating why such a report cannot be filed.
Phase 2 - Reporting & Confirmation
The coordinator will deliver a public verification report that summarizes the verified victims (while maintaining the victims’ privacy), the assets stolen, and their USD values as of May 12, 2025, along with confirmation that all verification requirements were met. A supporting spreadsheet (e.g., a public Google Sheet) will be published for community transparency and review.
Phase 3 - Reimbursement & Closure (Rolling Process)
Reimbursements will be processed on a rolling basis. As each victim completes verification, the coordinator will submit their finalized entry to the victim registry, after which the DAO treasury will reimburse the corresponding amount from the approved allocation. Losses will be valued using USD token prices from May 12, 2025 and converted into CRV at the time of each individual payout to minimize price-volatility risk. Following reimbursement, the coordinator will facilitate the assignment of recovery and restitution claims from smaller victims to the substantial victim.
Funding Source
Recompensation funds will come from the DAO treasury (or another pool designated by governance) in the form of CRV tokens. Each victim’s loss will be valued using the USD value of the stolen assets at the time of the incident (May 12, 2025). The equivalent CRV token amount will be calculated at the time of disbursement (Phase 3) using the prevailing market price of CRV in order to minimize exposure to token-price volatility. Reimbursements will be made in unlocked CRV, with tokens delivered directly to verified victims on the day of payout. The appointed coordinator’s fees will also be covered by this proposal, with payment drawn from the same DAO-designated funding source.