Security

Aerodrome Finance Users Drained by Malicious Token Approvals via DNS Hijacking

Centralized domain registrar failure enabled DNS hijacking, compromising the front-end and tricking users into signing unlimited token approvals.
November 23, 20253 min

A close-up view reveals a complex, translucent structural network, adorned with a frosty texture and embedded with reflective spheres. A prominent, metallic blue spiral element grounds the intricate connections
The image displays an abstract molecular-like structure featuring a central white sphere orbited by a white ring. Surrounding this core are multiple blue crystalline shapes and smaller white spheres, all interconnected by white rods

Briefing

A critical security incident unfolded at Aerodrome Finance, where attackers successfully executed a DNS hijacking attack against the protocol’s centralized domain registrar. This compromise rerouted legitimate users to a sophisticated phishing interface, resulting in the mass signing of malicious token approval transactions that granted the attacker unlimited asset access. The core consequence is direct user fund loss, as the exploit bypassed the security of the underlying smart contracts entirely. Forensic analysis suggests the immediate loss exceeded $1 million from compromised user accounts.

Intricate blue circuit board traces form the foundation for a conceptual representation of advanced digital infrastructure. A central, glowing transparent sphere is cradled by a white, segmented circular frame, symbolizing a critical component within a digital ecosystem

Context

The prevailing security posture in decentralized finance has often over-prioritized smart contract audits while under-securing off-chain dependencies. This incident highlights the persistent, known risk of centralized single points of failure, such as domain registrars and front-end hosting. The vector leveraged is a classic supply chain attack, where a weakness in a third-party service provider compromises the entire user experience.

A highly detailed, futuristic mechanical structure dominates the frame, showcasing pristine white outer plating and an intricate network of glowing blue translucent internal components. The central element features a complex circular mechanism, surrounded by precisely articulated segments that extend into a larger system

Analysis

The attack vector compromised the protocol’s centralized domain registrar, Box Domains, allowing the attacker to seize control of the.finance and.box domains. This domain takeover facilitated the redirection of user traffic to a malicious, visually identical phishing site. Users interacting with this fraudulent interface were prompted to execute a two-stage attack → first, a seemingly innocuous signature request, immediately followed by an aggressive, high-risk request for unlimited token approvals (e.g.

ETH, USDC). The success of the exploit hinged on leveraging the user’s trust in the front-end to authorize the approve() function, thereby granting the attacker permission to drain the approved assets.

A close-up view presents two sophisticated, white and metallic mechanical connectors, with one end displaying a vibrant blue illuminated core, positioned as if about to interlock. The background features blurred, similarly designed components, suggesting a larger, interconnected system

Parameters

  • Key Metric → Over $1 Million – The estimated total value siphoned from compromised user wallets.
  • Attack Vector → DNS Hijacking – The method used to redirect users to the malicious phishing site.
  • Affected Component → Centralized Domain Registrar – The specific third-party service that was compromised to initiate the attack.
  • Affected Network → Base – The blockchain network where the victim protocol primarily operates.

A futuristic, close-up rendering displays a complex mechanical assembly, featuring a prominent clear, textured sphere connected to a blue cylindrical component, all housed within a white and blue structure. The clear sphere exhibits an intricate, honeycomb-like pattern, merging into the blue element that contains a metallic silver ring

Outlook

Immediate mitigation requires all users who accessed the site during the incident window to revoke token approvals immediately using external tools like Revoke.cash. The contagion risk is high for any protocol relying on centralized DNS or front-end infrastructure, necessitating a rapid shift toward decentralized front-end hosting solutions such as ENS mirrors. This event will likely establish a new security best practice mandating the adoption of a fully decentralized user access layer to eliminate the centralized domain registrar as a single point of failure.

A white, high-tech module is shown partially separated, revealing glowing blue internal components and metallic rings. The detached front section features a circular opening, while the main body displays intricate, illuminated circuitry

Verdict

This DNS hijacking definitively proves that a protocol’s security perimeter must extend beyond the smart contract layer to encompass all centralized off-chain infrastructure that manages user access and trust.

DNS hijacking, front-end compromise, token approval scam, domain registrar vulnerability, decentralized exchange risk, social engineering attack, malicious signature request, unlimited token access, Base network security, user asset drain, web security flaw, off-chain exploit, critical infrastructure risk, phishing campaign, decentralized access Signal Acquired from → ainvest.com

Micro Crypto News Feeds

token approval

Definition ∞ Token Approval is a function within smart contracts that grants a specific address or contract permission to spend a certain amount of a particular token on behalf of the token owner.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

signature request

Definition ∞ A signature request in the digital asset context is a prompt for a user to cryptographically sign a transaction or message using their private key.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

network

Definition ∞ A network is a system of interconnected computers or devices capable of communication and resource sharing.

token approvals

Definition ∞ Token approvals are permissions granted by a token holder that allow a smart contract or another address to interact with their tokens, such as transferring or spending them.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

Tags:

Tags: