Skip to main content
Security

Aerodrome Velodrome Users Drained by Centralized DNS Hijacking Attack

A centralized DNS registrar compromise allowed a front-end hijack, tricking users into signing malicious token approvals and draining wallets.
November 23, 20253 min

The image displays an intricate assembly of polished silver-toned rings, dark blue plastic connectors, and numerous thin metallic wires. These elements are tightly interwoven, creating a dense, technical composition against a blurred blue background, highlighting precision engineering
The image displays multiple metallic, cylindrical components, primarily in a vibrant blue hue with silver and chrome accents, arranged in a dynamic, interconnected configuration. The central component is in sharp focus, revealing intricate details like grooves, rings, and a complex end-piece with small prongs, while a fine, granular white substance partially covers the surfaces

Briefing

A coordinated front-end attack targeted Aerodrome Finance and Velodrome, the leading decentralized exchanges on the Base and Optimism networks, by compromising their centralized Domain Name System (DNS) registrar. This DNS hijacking redirected users accessing the primary domain to a sophisticated phishing site, which then prompted them to sign malicious approve transactions, granting the attacker unlimited access to their digital assets. The core smart contracts and liquidity pools of both protocols remained secure, confirming the incident was an off-chain infrastructure breach. Initial on-chain forensics estimate the total user loss from compromised wallets to be in excess of $1 million.

A translucent blue, rectangular device with rounded edges is positioned diagonally on a smooth, dark grey surface. The device features a prominent raised rectangular section on its left side and a small black knob with a white top on its right

Context

The DeFi ecosystem has a known, persistent vulnerability class rooted in reliance on centralized off-chain infrastructure, such as DNS providers and cloud services. This attack vector, which bypasses on-chain smart contract security, was previously exploited against Aerodrome in a similar 2023 breach. The prevailing risk was a failure to fully decentralize the user access point, leaving the domain registrar as a single point of failure susceptible to social engineering or administrative key compromise.

A close-up view presents two sophisticated, white and metallic mechanical connectors, with one end displaying a vibrant blue illuminated core, positioned as if about to interlock. The background features blurred, similarly designed components, suggesting a larger, interconnected system

Analysis

The attack chain commenced with the compromise of the domain registrar, specifically Box Domains, which allowed the threat actor to maliciously alter the DNS records for aerodrome.finance and aerodrome.box. This manipulation redirected legitimate user traffic to an identical, attacker-controlled front-end interface. Once connected, the malicious site presented deceptive wallet prompts, beginning with an innocuous signature request and rapidly escalating to an aggressive demand for unlimited token approvals (e.g.

ETH, USDC, NFTs). By granting this permission, users effectively authorized the attacker’s wallet to drain their funds without needing a further transaction signature, successfully leveraging a centralized security lapse to execute an on-chain asset drain.

The image displays a sleek, translucent device with a central brushed metallic button, surrounded by a vibrant blue luminescence. The device's surface exhibits subtle reflections, highlighting its polished, futuristic design, set against a dark background

Parameters

  • Total User Loss (Initial Estimate) ∞ $1,000,000+ – The initial confirmed amount drained from user wallets in the first hour of the attack.
  • Attack Vector ∞ Centralized DNS Hijacking – The method used to redirect users from the legitimate domain to a malicious phishing site.
  • Affected Protocols ∞ Aerodrome Finance and Velodrome – Decentralized exchanges on the Base and Optimism Layer 2 networks.
  • Vulnerability TypeExternal Dependency Flaw – A security failure in a third-party, centralized service (domain registrar) rather than the core smart contracts.

An abstract, high-resolution rendering depicts a sophisticated mechanical device. A translucent, multi-faceted blue shell encloses polished metallic components

Outlook

Immediate mitigation requires all users who accessed the compromised domains to utilize a token approval revocation tool to nullify any recent malicious permissions. The incident serves as a critical stress test for DeFi’s reliance on centralized front-end components, accelerating the strategic shift toward mandatory decentralized access via technologies like the Ethereum Name Service (ENS). Protocols must now adopt a defense-in-depth posture that extends beyond smart contract audits to include robust, multi-factor security for all external infrastructure, including domain registrars and cloud services, to prevent this class of off-chain supply chain attack from becoming systemic.

The Aerodrome DNS hijack confirms that the most critical vulnerability in DeFi is not always the smart contract code, but the centralized human-controlled infrastructure used for user access.

decentralized exchange, front end attack, domain name system, token approval flaw, centralized risk, web3 security, asset draining, phishing scam, layer two networks, base network, optimism network, wallet compromise, external dependency, supply chain risk, contract approval, user funds loss, malicious signature, infrastructure vulnerability Signal Acquired from ∞ bitget.com

Micro Crypto News Feeds

decentralized exchanges

Definition ∞ Decentralized exchanges, often abbreviated as DEXs, are platforms that allow users to trade cryptocurrencies directly with each other without an intermediary.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

token approvals

Definition ∞ Token approvals are permissions granted by a token holder that allow a smart contract or another address to interact with their tokens, such as transferring or spending them.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

wallets

Definition ∞ 'Wallets' are software or hardware applications that store the private and public keys necessary to interact with a blockchain network and manage digital assets.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

external dependency

Definition ∞ An external dependency denotes a reliance on an outside system, service, or component for a particular digital asset or protocol to function correctly.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: