Security

Aerodrome Finance Users Drained by Malicious Token Approvals via DNS Hijacking

Centralized domain registrar failure enabled DNS hijacking, compromising the front-end and tricking users into signing unlimited token approvals.
November 23, 20253 min

The image features a close-up of interconnected white modular units with metallic screw-like connectors. Transparent, glowing blue cubic structures, appearing as digital data, are embedded within and around these units against a blue background
A clear, faceted, crystalline object rests on a dark surface, partially enclosing a dark blue, textured component. A central metallic gear-like mechanism is embedded within the blue material, from which a black cable extends across the foreground towards a blurred, multi-toned mechanical device in the background

Briefing

A critical security incident unfolded at Aerodrome Finance, where attackers successfully executed a DNS hijacking attack against the protocol’s centralized domain registrar. This compromise rerouted legitimate users to a sophisticated phishing interface, resulting in the mass signing of malicious token approval transactions that granted the attacker unlimited asset access. The core consequence is direct user fund loss, as the exploit bypassed the security of the underlying smart contracts entirely. Forensic analysis suggests the immediate loss exceeded $1 million from compromised user accounts.

The image displays a close-up perspective of two interconnected, robust electronic components against a neutral grey background. A prominent translucent blue module, possibly a polymer, houses a brushed metallic block, while an adjacent silver-toned metallic casing features a circular recess and various indentations

Context

The prevailing security posture in decentralized finance has often over-prioritized smart contract audits while under-securing off-chain dependencies. This incident highlights the persistent, known risk of centralized single points of failure, such as domain registrars and front-end hosting. The vector leveraged is a classic supply chain attack, where a weakness in a third-party service provider compromises the entire user experience.

The image displays a high-fidelity rendering of a transparent device, revealing complex internal blue components and a prominent brushed metal surface. The device's outer shell is clear, showcasing the intricate design of its inner workings

Analysis

The attack vector compromised the protocol’s centralized domain registrar, Box Domains, allowing the attacker to seize control of the.finance and.box domains. This domain takeover facilitated the redirection of user traffic to a malicious, visually identical phishing site. Users interacting with this fraudulent interface were prompted to execute a two-stage attack → first, a seemingly innocuous signature request, immediately followed by an aggressive, high-risk request for unlimited token approvals (e.g.

ETH, USDC). The success of the exploit hinged on leveraging the user’s trust in the front-end to authorize the approve() function, thereby granting the attacker permission to drain the approved assets.

A sleek, futuristic white and metallic cylindrical apparatus rests partially submerged in dark blue water. From its open end, a significant volume of white, granular substance and vibrant blue particles ejects, creating turbulent ripples

Parameters

  • Key Metric → Over $1 Million – The estimated total value siphoned from compromised user wallets.
  • Attack Vector → DNS Hijacking – The method used to redirect users to the malicious phishing site.
  • Affected Component → Centralized Domain Registrar – The specific third-party service that was compromised to initiate the attack.
  • Affected Network → Base – The blockchain network where the victim protocol primarily operates.

A highly detailed, abstract render showcases a futuristic technological device with a clear, spherical front element. This orb is surrounded by segmented white plating and numerous angular, translucent blue components that glow with internal light

Outlook

Immediate mitigation requires all users who accessed the site during the incident window to revoke token approvals immediately using external tools like Revoke.cash. The contagion risk is high for any protocol relying on centralized DNS or front-end infrastructure, necessitating a rapid shift toward decentralized front-end hosting solutions such as ENS mirrors. This event will likely establish a new security best practice mandating the adoption of a fully decentralized user access layer to eliminate the centralized domain registrar as a single point of failure.

A snow-covered mass, resembling an iceberg, floats in serene blue water, hosting a textured white sphere and interacting with a metallic, faceted object. From this interaction, a vivid blue liquid cascades into the water, creating white splashes

Verdict

This DNS hijacking definitively proves that a protocol’s security perimeter must extend beyond the smart contract layer to encompass all centralized off-chain infrastructure that manages user access and trust.

DNS hijacking, front-end compromise, token approval scam, domain registrar vulnerability, decentralized exchange risk, social engineering attack, malicious signature request, unlimited token access, Base network security, user asset drain, web security flaw, off-chain exploit, critical infrastructure risk, phishing campaign, decentralized access Signal Acquired from → ainvest.com

Micro Crypto News Feeds

token approval

Definition ∞ Token Approval is a function within smart contracts that grants a specific address or contract permission to spend a certain amount of a particular token on behalf of the token owner.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

signature request

Definition ∞ A signature request in the digital asset context is a prompt for a user to cryptographically sign a transaction or message using their private key.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

network

Definition ∞ A network is a system of interconnected computers or devices capable of communication and resource sharing.

token approvals

Definition ∞ Token approvals are permissions granted by a token holder that allow a smart contract or another address to interact with their tokens, such as transferring or spending them.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

Tags:

Tags: