Aerodrome Finance, one of the leading decentralized exchanges (DEX) on the Base network, is currently investigating a suspected DNS hijacking attack that compromised its centralized domains, exposing users to sophisticated phishing schemes targeting multiple crypto assets, including NFTs, ETH, and USDC. The incident has prompted the protocol to temporarily shut down access to its primary domains and redirect users to verified decentralized alternatives.
DNS Hijacking Compromises Centralized Domains
The attack appears to have exploited vulnerabilities in the Domain Name System (DNS) infrastructure supporting Aerodrome Finance’s primary web presence. The team confirmed that both the .finance and .box domains were hijacked, potentially allowing attackers to intercept user traffic, deploy malicious frontends, and request fraudulent wallet signatures.
Aerodrome Finance urged its users to avoid using the compromised centralized domains and instead rely on decentralized mirrors hosted via Ethereum Name Service (ENS), specifically at aero.drome.eth.limo and aero.drome.eth.link. ENS operates independently of traditional DNS, which makes it resistant to hijacking attempts of this kind.
The protocol emphasized that its smart contracts remained secure throughout the incident, isolating the breach to the frontend and preventing direct contract-level exploits.
Rapid Response and Emergency Lockdown
The breach was first detected approximately six hours before the public warnings were issued. Aerodrome’s security team immediately flagged Box Domains, the service managing its domains, as potentially compromised and requested urgent action. Within hours, the team confirmed that attackers had gained control of both primary domains and proceeded to shut them down.
To maintain safe access, Aerodrome deployed the two verified ENS-based decentralized mirrors. The team reassured users that all smart contract functionality remained uncompromised, and the risk was confined to frontend interactions.
The coordinated warnings from sister protocol Velodrome, which faced similar threats, suggested a broader pattern. It appears that attackers may have been systematically targeting Box Domains’ infrastructure to compromise multiple DeFi platforms simultaneously.
User Experiences Highlight Sophisticated Phishing Attacks
Affected users reported that the hijacked frontend deployed a deceptive two-stage attack designed to exploit wallet permissions.
- Initial Signature Request: The interface requested what appeared to be a harmless signature, often containing only the number “1.”
- Unlimited Approval Prompts: Immediately after, the site triggered multiple unlimited approval requests for NFTs, ETH, USDC, and WETH.
One user described the attack as aggressive and fast-moving:
“It asked for a simple signature, then instantly tried unlimited approvals to drain NFTs, ETH, and USDC. If you weren’t paying attention, you could’ve lost everything.”
Some victims documented the attack with screenshots and video recordings, tracking the progression from initial signature requests to multiple asset drain attempts. Investigations, aided by AI tools, included analysis of browser configurations, extensions, DNS settings, and RPC endpoints. The findings were consistent with DNS hijacking methodologies.
A separate report from a seasoned developer highlighted the sophistication of the attack. Despite technical expertise, the user suffered significant losses and spent three days recovering approximately 10–15% of the stolen assets through advanced on-chain stealth techniques using a Jito bundle-based script.
Security Context: A Low Month for Crypto Exploits
The Aerodrome incident coincides with October 2025 being an unusually calm month for crypto security. According to blockchain security firm PeckShield, only $18.18 million was stolen across 15 separate incidents, marking an 85.7% decrease from September’s losses of $127.06 million.
Without the late-month Garden Finance exploit, total losses would have been near $7.18 million, the lowest monthly total since early 2023.
Notable incidents in October included:
- Garden Finance: Exploited for over $10 million after a solver was compromised. Losses were confined to the solver’s own inventory.
- Typus Finance: Lost $3.4 million via an oracle manipulation attack exploiting a flaw in a TLP contract, causing the native token to drop roughly 35%.
- Abracadabra: Experienced its third exploit, losing $1.8 million in MIM stablecoins due to a smart contract vulnerability bypassing solvency checks.
Lessons and Recommendations for Users
The Aerodrome breach highlights the ongoing vulnerabilities associated with centralized domain infrastructure in the DeFi ecosystem. While smart contracts remain a primary focus for security audits, frontend access points can become high-value targets for attackers using DNS hijacking to execute phishing campaigns.
Key recommendations for users include:
- Avoid using compromised centralized domains for accessing DeFi platforms.
- Prefer decentralized alternatives like ENS-based mirrors that are resistant to DNS attacks.
- Monitor wallet approval prompts carefully and avoid unlimited approvals to unknown addresses.
- Keep browsers and extensions secure, and consider hardware wallets for added security.
Conclusion
While Aerodrome Finance’s smart contracts were not compromised, the DNS hijacking attack underscores the ongoing risks associated with frontend vulnerabilities in the DeFi space. The rapid response, deployment of ENS-based mirrors, and clear communication with users mitigated potentially severe losses. However, users must remain vigilant, as sophisticated phishing attacks continue to evolve alongside the broader DeFi ecosystem.
October’s relatively low loss figures offer a temporary sense of security for the crypto sector, but the Aerodrome incident serves as a stark reminder that frontend security, domain management, and user vigilance are just as critical as smart contract auditing in safeguarding digital assets.
Read More: Unmissable Crypto Trends Exposed in New Report as Bear Market Looms
