Aerodrome and Velodrome Users Drained via Centralized DNS Hijacking Attack → Security

The image displays a white, soft, arched form resting on a jagged, dark blue rocky mass, which is partially submerged in calm, rippling blue water. Behind these elements, two angled, reflective blue planes stand, with a metallic sphere positioned between them, reflecting the surrounding forms and appearing textured with white granular material

A sophisticated, metallic device featuring intricate blue wiring and exposed internal components is centered against a blurred blue bokeh background. Its sleek, industrial design showcases visible screws, heat sinks, and a prominent dial, suggesting a highly engineered computational unit

Briefing

The decentralized exchanges Aerodrome and Velodrome suffered a coordinated front-end compromise on November 22, 2025, due to a centralized DNS hijacking attack on their primary domains. This infrastructure breach redirected users to malicious phishing sites, where they were socially engineered into signing harmful token approval transactions, effectively draining their wallets. While the underlying smart contracts and protocol treasuries remained secure, the incident resulted in an estimated loss of over $1 million in user assets within the first hour, exposing the critical security gap between on-chain and off-chain dependencies.

A white spherical module with a clear lens is positioned centrally, surrounded by numerous blue, faceted crystal-like structures. The sphere has segmented panels with glowing blue lines, while the blue crystals reflect light, creating a sense of depth and complexity

Context

The prevailing risk factor for DeFi protocols is often assumed to be smart contract logic flaws; however, a significant attack surface exists in centralized Web2 infrastructure like domain registrars. This is a recurring vulnerability class, as Aerodrome and Velodrome experienced a similar DNS hijack in late 2023, which resulted in over $300,000 in losses. The continued reliance on centralized domain providers for front-end access introduces a single point of failure that bypasses the security of audited on-chain code.

A striking close-up reveals a futuristic, translucent cubic object, featuring metallic panels and a prominent stylized symbol on its faces. The internal structure shows intricate, glowing blue circuitry, set against a softly blurred, dark blue background

Analysis

The attacker compromised the protocols’ centralized domain registrar, likely through a social engineering or credential theft vector, to maliciously alter the DNS records for domains like aerodrome.finance and velodrome.finance. This change redirected legitimate user traffic to an attacker-controlled phishing site that perfectly mimicked the DEX interface. The malicious site then prompted users for a seemingly innocuous signature request, which was immediately followed by persistent, aggressive prompts for unrestricted token approvals, allowing the attacker to call transferFrom on the user’s approved assets and drain their wallet. The core smart contracts were never compromised; the attack vector was purely the user’s interaction with the malicious front-end.

A clear cubic prism is positioned on a detailed, illuminated blue circuit board, suggesting a fusion of digital infrastructure and advanced security. The circuit board's complex layout represents the intricate design of blockchain networks and their distributed consensus mechanisms

Parameters

Estimated User Loss → Over $1,000,000 (Initial assessment of funds stolen from compromised user wallets)
Affected Protocols → Aerodrome Finance and Velodrome (Top DEXs on Base and Optimism, respectively)
Attack Vector → Centralized DNS Hijacking (Compromise of domain registrar, not smart contract)
Affected Chains → Base and Optimism (The networks where the compromised DEXs operate)

A futuristic metallic device, possibly a satellite or specialized node, is partially submerged in a calm body of water. From its lower section, a vigorous stream of bright blue liquid, intermingled with white foam, forcefully ejects, creating dynamic ripples and splashes on the water's surface

Outlook

Immediate mitigation requires all users who accessed the compromised domains to urgently revoke all recent token approvals via a trusted tool like Revoke.cash. For the broader ecosystem, this incident mandates a strategic shift toward fully decentralized access methods, such as utilizing ENS domains and IPFS hosting, to eliminate the centralized domain registrar as a single point of failure. Protocols that maintain hybrid Web2/Web3 infrastructure must implement multi-factor authentication and stricter access controls at the domain registrar level to prevent similar infrastructure-based attacks.

The exploit of centralized DNS infrastructure proves that on-chain security is insufficient when the user’s point of access remains a critical, unhardened Web2 vulnerability.

DNS hijacking, front-end compromise, centralized risk, token approval, wallet drain, domain registrar, Base network, Optimism network, decentralized exchange, web3 security, infrastructure attack, phishing scam, malicious transaction, token revoke, ENS domain Signal Acquired from → bitget.com