Aerodrome and Velodrome Users Drained via Centralized DNS Hijacking Attack ∞ Security

$A clear, spherical object, filled with internal blue geometric refractions and minute bubbles, is suspended in front of a detailed, angular structure composed of white, metallic, and glowing translucent blue components. This visual metaphor can represent the encapsulation of decentralized finance DeFi protocols or the intricate mechanisms of consensus algorithms within the blockchain ecosystem$

A sophisticated metallic blue device is depicted, partially open to reveal its intricate internal workings. Finely detailed silver mechanisms, gears, and white fiber-optic-like connections are visible within its structure, with a distinctive light blue, bubbly, foam-like substance emanating from one end

Briefing

The decentralized exchanges Aerodrome and Velodrome suffered a coordinated front-end compromise on November 22, 2025, due to a centralized DNS hijacking attack on their primary domains. This infrastructure breach redirected users to malicious phishing sites, where they were socially engineered into signing harmful token approval transactions, effectively draining their wallets. While the underlying smart contracts and protocol treasuries remained secure, the incident resulted in an estimated loss of over $1 million in user assets within the first hour, exposing the critical security gap between on-chain and off-chain dependencies.

A high-tech cylindrical component is depicted, featuring a polished blue metallic end with a detailed circular interface, transitioning into a unique white lattice structure. This lattice encloses a bright blue, ribbed internal core, with the opposite end of the component appearing as a blurred metallic housing

Context

The prevailing risk factor for DeFi protocols is often assumed to be smart contract logic flaws; however, a significant attack surface exists in centralized Web2 infrastructure like domain registrars. This is a recurring vulnerability class, as Aerodrome and Velodrome experienced a similar DNS hijack in late 2023, which resulted in over $300,000 in losses. The continued reliance on centralized domain providers for front-end access introduces a single point of failure that bypasses the security of audited on-chain code.

A striking close-up reveals a futuristic, translucent cubic object, featuring metallic panels and a prominent stylized symbol on its faces. The internal structure shows intricate, glowing blue circuitry, set against a softly blurred, dark blue background

Analysis

The attacker compromised the protocols’ centralized domain registrar, likely through a social engineering or credential theft vector, to maliciously alter the DNS records for domains like aerodrome.finance and velodrome.finance. This change redirected legitimate user traffic to an attacker-controlled phishing site that perfectly mimicked the DEX interface. The malicious site then prompted users for a seemingly innocuous signature request, which was immediately followed by persistent, aggressive prompts for unrestricted token approvals, allowing the attacker to call transferFrom on the user’s approved assets and drain their wallet. The core smart contracts were never compromised; the attack vector was purely the user’s interaction with the malicious front-end.

Central to the image is a metallic core flanked by translucent blue, geometric components, all surrounded by a vibrant, frothy white substance. These elements combine to depict an intricate digital process

Parameters

Estimated User Loss ∞ Over $1,000,000 (Initial assessment of funds stolen from compromised user wallets)
Affected Protocols ∞ Aerodrome Finance and Velodrome (Top DEXs on Base and Optimism, respectively)
Attack Vector ∞ Centralized DNS Hijacking (Compromise of domain registrar, not smart contract)
Affected Chains ∞ Base and Optimism (The networks where the compromised DEXs operate)

A perspective view looks down a central, circular tunnel, brightly lit at its far end. The tunnel walls are composed of radially extending, translucent blue and white crystalline or icy structures, some with frosted surfaces

Outlook

Immediate mitigation requires all users who accessed the compromised domains to urgently revoke all recent token approvals via a trusted tool like Revoke.cash. For the broader ecosystem, this incident mandates a strategic shift toward fully decentralized access methods, such as utilizing ENS domains and IPFS hosting, to eliminate the centralized domain registrar as a single point of failure. Protocols that maintain hybrid Web2/Web3 infrastructure must implement multi-factor authentication and stricter access controls at the domain registrar level to prevent similar infrastructure-based attacks.

The exploit of centralized DNS infrastructure proves that on-chain security is insufficient when the user’s point of access remains a critical, unhardened Web2 vulnerability.

DNS hijacking, front-end compromise, centralized risk, token approval, wallet drain, domain registrar, Base network, Optimism network, decentralized exchange, web3 security, infrastructure attack, phishing scam, malicious transaction, token revoke, ENS domain Signal Acquired from ∞ bitget.com