Security

Aerodrome Velodrome Users Drained by Centralized DNS Hijacking Attack

A centralized DNS registrar compromise allowed a front-end hijack, tricking users into signing malicious token approvals and draining wallets.
November 23, 20253 min

A detailed, metallic object with a complex, mechanical design is presented in a close-up, angled perspective, bathed in blue and silver tones. The intricate construction, featuring interlocking plates and visible fasteners, evokes a sense of advanced technological integration
A clear, spherical object, filled with internal blue geometric refractions and minute bubbles, is suspended in front of a detailed, angular structure composed of white, metallic, and glowing translucent blue components. This visual metaphor can represent the encapsulation of decentralized finance DeFi protocols or the intricate mechanisms of consensus algorithms within the blockchain ecosystem

Briefing

A coordinated front-end attack targeted Aerodrome Finance and Velodrome, the leading decentralized exchanges on the Base and Optimism networks, by compromising their centralized Domain Name System (DNS) registrar. This DNS hijacking redirected users accessing the primary domain to a sophisticated phishing site, which then prompted them to sign malicious approve transactions, granting the attacker unlimited access to their digital assets. The core smart contracts and liquidity pools of both protocols remained secure, confirming the incident was an off-chain infrastructure breach. Initial on-chain forensics estimate the total user loss from compromised wallets to be in excess of $1 million.

A close-up reveals a sophisticated, metallic device featuring a translucent blue screen displaying intricate digital patterns and alphanumeric characters. A prominent silver frame with a central button accents the front, suggesting an interactive interface for user input and transaction confirmation

Context

The DeFi ecosystem has a known, persistent vulnerability class rooted in reliance on centralized off-chain infrastructure, such as DNS providers and cloud services. This attack vector, which bypasses on-chain smart contract security, was previously exploited against Aerodrome in a similar 2023 breach. The prevailing risk was a failure to fully decentralize the user access point, leaving the domain registrar as a single point of failure susceptible to social engineering or administrative key compromise.

A futuristic white and metallic modular apparatus is depicted against a dark background, featuring interconnected cylindrical components. The leftmost module showcases a transparent blue circular front panel with intricate internal circuitry and a central glowing ring

Analysis

The attack chain commenced with the compromise of the domain registrar, specifically Box Domains, which allowed the threat actor to maliciously alter the DNS records for aerodrome.finance and aerodrome.box. This manipulation redirected legitimate user traffic to an identical, attacker-controlled front-end interface. Once connected, the malicious site presented deceptive wallet prompts, beginning with an innocuous signature request and rapidly escalating to an aggressive demand for unlimited token approvals (e.g.

ETH, USDC, NFTs). By granting this permission, users effectively authorized the attacker’s wallet to drain their funds without needing a further transaction signature, successfully leveraging a centralized security lapse to execute an on-chain asset drain.

The image displays a high-fidelity rendering of a transparent device, revealing complex internal blue components and a prominent brushed metal surface. The device's outer shell is clear, showcasing the intricate design of its inner workings

Parameters

  • Total User Loss (Initial Estimate) → $1,000,000+ – The initial confirmed amount drained from user wallets in the first hour of the attack.
  • Attack Vector → Centralized DNS Hijacking – The method used to redirect users from the legitimate domain to a malicious phishing site.
  • Affected Protocols → Aerodrome Finance and Velodrome – Decentralized exchanges on the Base and Optimism Layer 2 networks.
  • Vulnerability TypeExternal Dependency Flaw – A security failure in a third-party, centralized service (domain registrar) rather than the core smart contracts.

A sophisticated mechanical component, predominantly silver and dark blue, is depicted immersed in a dynamic mass of translucent blue bubbles. The central element is a distinct silver square module with intricate concentric circles, reminiscent of a cryptographic primitive or a secure oracle interface

Outlook

Immediate mitigation requires all users who accessed the compromised domains to utilize a token approval revocation tool to nullify any recent malicious permissions. The incident serves as a critical stress test for DeFi’s reliance on centralized front-end components, accelerating the strategic shift toward mandatory decentralized access via technologies like the Ethereum Name Service (ENS). Protocols must now adopt a defense-in-depth posture that extends beyond smart contract audits to include robust, multi-factor security for all external infrastructure, including domain registrars and cloud services, to prevent this class of off-chain supply chain attack from becoming systemic.

The Aerodrome DNS hijack confirms that the most critical vulnerability in DeFi is not always the smart contract code, but the centralized human-controlled infrastructure used for user access.

decentralized exchange, front end attack, domain name system, token approval flaw, centralized risk, web3 security, asset draining, phishing scam, layer two networks, base network, optimism network, wallet compromise, external dependency, supply chain risk, contract approval, user funds loss, malicious signature, infrastructure vulnerability Signal Acquired from → bitget.com

Micro Crypto News Feeds

decentralized exchanges

Definition ∞ Decentralized exchanges, often abbreviated as DEXs, are platforms that allow users to trade cryptocurrencies directly with each other without an intermediary.

infrastructure

Definition ∞ Infrastructure refers to the fundamental technological architecture and systems that support the operation and growth of blockchain networks and digital asset services.

token approvals

Definition ∞ Token approvals are permissions granted by a token holder that allow a smart contract or another address to interact with their tokens, such as transferring or spending them.

on-chain

Definition ∞ On-chain refers to any transaction or data that is recorded and validated directly on a blockchain ledger, making it publicly verifiable and immutable.

wallets

Definition ∞ 'Wallets' are software or hardware applications that store the private and public keys necessary to interact with a blockchain network and manage digital assets.

attack vector

Definition ∞ An attack vector is a pathway or method by which malicious actors can gain unauthorized access to a system or digital asset.

decentralized

Definition ∞ Decentralized describes a system or organization that is not controlled by a single central authority.

external dependency

Definition ∞ An external dependency denotes a reliance on an outside system, service, or component for a particular digital asset or protocol to function correctly.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

Tags:

Tags: