The cryptocurrency security landscape faced another stark reminder of its fragility this week as Aerodrome Finance, the largest decentralized exchange on Coinbase’s Base network, suffered a sophisticated DNS hijacking attack. The breach, which came to light on November 22, 2025, compromised the platform’s centralized domains and redirected users to malicious phishing sites designed to drain wallets of their holdings.
The Exploit Mechanics
The attack targeted Aerodrome’s domain name system (DNS) records through its registrar, NameSilo. By compromising the registrar, the attackers were able to modify DNS settings for Aerodrome’s primary domains, including the .finance and .box addresses. Users who navigated to these domains were silently redirected to convincingly replicated phishing interfaces that mimicked the legitimate Aerodrome user experience. Once connected, the fake front end prompted users with signature requests that appeared routine but actually granted unlimited token approvals to the attackers’ wallets. Within less than an hour, reports indicated that over $1 million had been drained from unsuspecting users.
Affected Systems
The attack impacted Aerodrome Finance’s centralized web domains, while the underlying smart contract infrastructure on Base remained secure and unaffected. Velodrome Finance, a related protocol on Optimism, reported a similar compromise, suggesting a coordinated attack leveraging the same DNS registrar vulnerability. The decentralized mirror sites — specifically aero.drome.eth.limo and aero.drome.eth.link — were confirmed safe throughout the incident, as they rely on Ethereum’s decentralized naming system rather than traditional DNS infrastructure. Bitcoin traded at approximately $86,800 at the time of the attack, with Ethereum hovering near $2,800, providing substantial liquidity targets for the attackers.
The Mitigation Strategy
Aerodrome’s team responded by urgently warning all users to avoid the compromised centralized domains. The project confirmed that 3DNS, its decentralized domain management system, was protected by a multisignature wallet arrangement that prevented the attack from extending further. Multiple top-tier security firms were engaged to investigate the breach and assist with domain recovery. Alexander Cutler, co-founder of Aerodrome and CEO of Dromos Labs, publicly addressed the incident, emphasizing that DNS hijacking attacks typically exploit registrar-level vulnerabilities rather than project-side weaknesses. The team worked to restore safe access through verified decentralized mirrors while the centralized domains were being recovered.
Lessons Learned
This incident underscores a critical vulnerability in the DeFi ecosystem: even when smart contracts are bulletproof, the front-end layer remains susceptible to traditional web security exploits. The Aerodrome attack is part of a broader trend identified in a Global Ledger report showing that over $3 billion was stolen in crypto attacks during the first half of 2025 alone. Centralized exchanges accounted for 54.26 percent of total losses, and attackers are laundering stolen funds faster than ever, sometimes within minutes of the initial breach. The lesson is clear — DNS security is just as important as smart contract audits, and projects must invest equally in both layers of defense.
User Action Required
Anyone who interacted with Aerodrome or Velodrome Finance through centralized domains between November 21 and November 23, 2025, should immediately revoke all token approvals granted during that window. Users can check their approval history through tools like Revoke.cash or Etherscan’s token approval checker. Moving forward, bookmarking decentralized domain mirrors and verifying URLs before connecting wallets are essential practices. Hardware wallet users should review recent transaction signatures for any unexpected approval requests. If funds were compromised, users should report the incident to the respective protocol teams and relevant law enforcement agencies immediately.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before interacting with any DeFi protocol.
decentralized ENS mirrors stayed safe while centralized DNS got hijacked. the answer is staring everyone in the face but UX for ENS is still terrible
dns_is_dead_ ENS is the right answer but the UX gap is massive. try explaining to a retail user why they should type aerodrome.eth through an extension instead of just googling it. the phishing problem is a UX problem
NameSilo as the registrar is the real story. budget registrars have weaker security controls and DNS hijacking becomes trivial. protocols need to use enterprise-grade DNS providers
NameSilo is the real story here. protocols managing 9 figure TVL should not be using discount domain providers. spend the extra 50 bucks a year on Cloudflare enterprise DNS and this attack vector disappears
This is exactly why we need to move toward decentralized front-ends using IPFS or ENS. Seeing a top-tier protocol like Aerodrome get hit by a DNS hijack is a massive wake-up call for the whole Base ecosystem. Always double-check the contract address on your hardware wallet before signing anything!
Absolutely terrifying to think that even if the smart contracts are audited and secure, a simple domain hijack can still lead to total loss. I’ve been using Aerodrome for months and never thought the UI itself was the weak link. Stay safe out there and revoke those permissions if you interacted with the site during the breach.
the smart contracts detail is exactly why I’m bullish on this trend
Front-end vulnerabilities are the silent killer of DeFi adoption right now. We talk about ‘decentralization’ but most users are still clicking buttons on a centralized AWS or GoDaddy server. Hopefully, this leads to better security standards across the board because these DNS exploits are getting way too common.
VitalikFanboy you nailed it. we call it decentralized finance but the front end runs on AWS and the domain is controlled by a random registrar. the decentralization is only at the smart contract layer
Another day, another front-end exploit. This is why I always keep my main stack in cold storage and only use burner wallets for daily DeFi interactions. Aerodrome is great, but this just proves that no UI is 100% safe. Don’t trust, verify the transaction hex if you can!
finally someone mentions the phishing piece that others are missing
the phishing development is what institutional investors are really watching