Aerodrome and Velodrome Users Drained via Centralized DNS Hijacking Attack → Security

A large, metallic and white cylindrical mechanism with intricate modular detailing extends diagonally from the upper left, emitting a cloud of white, particulate matter from its end. The background consists of blurred, dark blue and grey geometric structures, suggesting a complex, high-tech environment

A pristine, glossy white sphere floats centrally, surrounded by intricate, highly reflective blue and silver metallic structures. White, powdery snow-like particles are scattered across and nestled within these complex forms

Briefing

The decentralized exchanges Aerodrome and Velodrome suffered a coordinated front-end compromise on November 22, 2025, due to a centralized DNS hijacking attack on their primary domains. This infrastructure breach redirected users to malicious phishing sites, where they were socially engineered into signing harmful token approval transactions, effectively draining their wallets. While the underlying smart contracts and protocol treasuries remained secure, the incident resulted in an estimated loss of over $1 million in user assets within the first hour, exposing the critical security gap between on-chain and off-chain dependencies.

A pristine white torus encircles a vibrant, starburst arrangement of angular blue crystals against a dark background. The sharp, geometric facets of the crystals suggest data blocks or individual nodes within a distributed ledger

Context

The prevailing risk factor for DeFi protocols is often assumed to be smart contract logic flaws; however, a significant attack surface exists in centralized Web2 infrastructure like domain registrars. This is a recurring vulnerability class, as Aerodrome and Velodrome experienced a similar DNS hijack in late 2023, which resulted in over $300,000 in losses. The continued reliance on centralized domain providers for front-end access introduces a single point of failure that bypasses the security of audited on-chain code.

A highly detailed, abstract render showcases a futuristic technological device with a clear, spherical front element. This orb is surrounded by segmented white plating and numerous angular, translucent blue components that glow with internal light

Analysis

The attacker compromised the protocols’ centralized domain registrar, likely through a social engineering or credential theft vector, to maliciously alter the DNS records for domains like aerodrome.finance and velodrome.finance. This change redirected legitimate user traffic to an attacker-controlled phishing site that perfectly mimicked the DEX interface. The malicious site then prompted users for a seemingly innocuous signature request, which was immediately followed by persistent, aggressive prompts for unrestricted token approvals, allowing the attacker to call transferFrom on the user’s approved assets and drain their wallet. The core smart contracts were never compromised; the attack vector was purely the user’s interaction with the malicious front-end.

The image features a sophisticated mechanical assembly composed of blue and silver gears, shafts, and rings, intricately intertwined. White granular particles are scattered around and within these components, while a transparent, syringe-like element extends from the left

Parameters

Estimated User Loss → Over $1,000,000 (Initial assessment of funds stolen from compromised user wallets)
Affected Protocols → Aerodrome Finance and Velodrome (Top DEXs on Base and Optimism, respectively)
Attack Vector → Centralized DNS Hijacking (Compromise of domain registrar, not smart contract)
Affected Chains → Base and Optimism (The networks where the compromised DEXs operate)

The image displays a series of white, geometrically designed blocks connected in a linear chain, featuring intricate transparent blue components glowing from within. Each block interlocks with the next via a central luminous blue conduit, suggesting active data transmission

Outlook

Immediate mitigation requires all users who accessed the compromised domains to urgently revoke all recent token approvals via a trusted tool like Revoke.cash. For the broader ecosystem, this incident mandates a strategic shift toward fully decentralized access methods, such as utilizing ENS domains and IPFS hosting, to eliminate the centralized domain registrar as a single point of failure. Protocols that maintain hybrid Web2/Web3 infrastructure must implement multi-factor authentication and stricter access controls at the domain registrar level to prevent similar infrastructure-based attacks.

The exploit of centralized DNS infrastructure proves that on-chain security is insufficient when the user’s point of access remains a critical, unhardened Web2 vulnerability.

DNS hijacking, front-end compromise, centralized risk, token approval, wallet drain, domain registrar, Base network, Optimism network, decentralized exchange, web3 security, infrastructure attack, phishing scam, malicious transaction, token revoke, ENS domain Signal Acquired from → bitget.com