Security

Aerodrome and Velodrome Users Drained via Centralized DNS Hijacking Attack

Centralized domain registrar vulnerability enabled DNS hijacking, weaponizing the front-end to steal user token approvals.
November 23, 20253 min

The image displays a futuristic abstract scene with a prominent, angular metallic structure surrounded by dense blue smoke. A textured white sphere is positioned near the structure, while a smaller, faceted blue sphere floats in the upper right
A pristine, glossy white sphere floats centrally, surrounded by intricate, highly reflective blue and silver metallic structures. White, powdery snow-like particles are scattered across and nestled within these complex forms

Briefing

The decentralized exchanges Aerodrome and Velodrome suffered a coordinated front-end compromise on November 22, 2025, due to a centralized DNS hijacking attack on their primary domains. This infrastructure breach redirected users to malicious phishing sites, where they were socially engineered into signing harmful token approval transactions, effectively draining their wallets. While the underlying smart contracts and protocol treasuries remained secure, the incident resulted in an estimated loss of over $1 million in user assets within the first hour, exposing the critical security gap between on-chain and off-chain dependencies.

The image displays an intricate abstract composition featuring highly reflective, transparent, and metallic blue elements intertwined against a soft grey background. A prominent, polished blue oval forms the focal point, surrounded by twisting, translucent bands that create a sense of dynamic depth and interconnectedness

Context

The prevailing risk factor for DeFi protocols is often assumed to be smart contract logic flaws; however, a significant attack surface exists in centralized Web2 infrastructure like domain registrars. This is a recurring vulnerability class, as Aerodrome and Velodrome experienced a similar DNS hijack in late 2023, which resulted in over $300,000 in losses. The continued reliance on centralized domain providers for front-end access introduces a single point of failure that bypasses the security of audited on-chain code.

A translucent blue, rectangular device with rounded edges is positioned diagonally on a smooth, dark grey surface. The device features a prominent raised rectangular section on its left side and a small black knob with a white top on its right

Analysis

The attacker compromised the protocols’ centralized domain registrar, likely through a social engineering or credential theft vector, to maliciously alter the DNS records for domains like aerodrome.finance and velodrome.finance. This change redirected legitimate user traffic to an attacker-controlled phishing site that perfectly mimicked the DEX interface. The malicious site then prompted users for a seemingly innocuous signature request, which was immediately followed by persistent, aggressive prompts for unrestricted token approvals, allowing the attacker to call transferFrom on the user’s approved assets and drain their wallet. The core smart contracts were never compromised; the attack vector was purely the user’s interaction with the malicious front-end.

The image displays a sophisticated, angular device featuring a metallic silver frame and translucent, flowing blue internal components. A distinct white "1" is visible on one of the blue elements

Parameters

  • Estimated User Loss → Over $1,000,000 (Initial assessment of funds stolen from compromised user wallets)
  • Affected Protocols → Aerodrome Finance and Velodrome (Top DEXs on Base and Optimism, respectively)
  • Attack Vector → Centralized DNS Hijacking (Compromise of domain registrar, not smart contract)
  • Affected ChainsBase and Optimism (The networks where the compromised DEXs operate)

A high-tech cylindrical component is depicted, featuring a polished blue metallic end with a detailed circular interface, transitioning into a unique white lattice structure. This lattice encloses a bright blue, ribbed internal core, with the opposite end of the component appearing as a blurred metallic housing

Outlook

Immediate mitigation requires all users who accessed the compromised domains to urgently revoke all recent token approvals via a trusted tool like Revoke.cash. For the broader ecosystem, this incident mandates a strategic shift toward fully decentralized access methods, such as utilizing ENS domains and IPFS hosting, to eliminate the centralized domain registrar as a single point of failure. Protocols that maintain hybrid Web2/Web3 infrastructure must implement multi-factor authentication and stricter access controls at the domain registrar level to prevent similar infrastructure-based attacks.

The exploit of centralized DNS infrastructure proves that on-chain security is insufficient when the user’s point of access remains a critical, unhardened Web2 vulnerability.

DNS hijacking, front-end compromise, centralized risk, token approval, wallet drain, domain registrar, Base network, Optimism network, decentralized exchange, web3 security, infrastructure attack, phishing scam, malicious transaction, token revoke, ENS domain Signal Acquired from → bitget.com

Micro Crypto News Feeds

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

token approvals

Definition ∞ Token approvals are permissions granted by a token holder that allow a smart contract or another address to interact with their tokens, such as transferring or spending them.

protocols

Definition ∞ 'Protocols' are sets of rules that govern how data is transmitted and managed across networks.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

base

Definition ∞ Base is a layer-2 blockchain network that operates as a subsidiary of Coinbase, designed to facilitate low-cost, high-speed transactions.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

Tags:

Tags: