The decentralized finance ecosystem faced a stark reminder of its centralized weak points as two prominent decentralized exchanges, Velodrome and Aerodrome, suffered coordinated DNS hijacking attacks that redirected users to malicious phishing pages. The incidents, which unfolded on the Optimism and Base blockchains respectively, resulted in approximately $700,000 in user losses and triggered urgent questions about the security of frontend infrastructure across DeFi.
The Exploit Mechanics
According to post-incident reports, the attackers executed a social engineering campaign targeting the domain registrar infrastructure that managed the centralized domains for both Velodrome and Aerodrome. By compromising an insider at the registrar, the attackers bypassed multisig controls in the 3DNS system, removed DNSSEC protections, and redirected the legitimate domain names to attacker-controlled phishing pages.
The attack vector did not involve any smart contract vulnerability. Instead, it exploited the centralized DNS layer — the very infrastructure that translates human-readable website addresses into server locations. Once the DNS records were modified, users who navigated to the familiar Velodrome and Aerodrome URLs were silently redirected to convincing clones designed to drain wallet funds through malicious transaction approvals.
One user reported that the exploit resulted in more than $1 million being stolen in less than an hour, though official estimates later settled at approximately $700,000 in total losses. With Bitcoin trading around $39,476 and Ethereum at $2,165 at the time, the losses represented a significant sum for the affected DeFi community.
Affected Systems
Velodrome, the largest decentralized exchange on the Optimism blockchain by total value locked, saw its centralized domain compromised first. Aerodrome, its sister protocol operating on the Base network, experienced a similar attack within days. Both platforms confirmed that their smart contracts remained fully secure and that the MetaDEX protocol — the core decentralized exchange engine — was not affected.
Importantly, decentralized application interfaces continued operating normally throughout the incident. Users accessing the protocols through decentralized gateways or direct contract interactions experienced no disruption. The attack surface was limited entirely to the centralized web frontend, highlighting the contrast between the resilience of on-chain infrastructure and the fragility of off-chain web services.
The Mitigation Strategy
Response to the attack was swift. Security partners including Blockaid, 0xGroomLake, SEAL, and FTI Consulting mobilized within minutes of the first malicious transaction being detected. Within two minutes, major wallet providers including MetaMask and Coinbase Wallet were displaying active warnings to users attempting to interact with the compromised domains.
The full remediation, including patch distribution, took less than four hours. Both teams confirmed they would not restore domains on the previous infrastructure and announced plans to migrate to enterprise-grade corporate registrars with enhanced security controls. Additionally, the teams outlined plans to enable users to access Velodrome and Aerodrome through firewalled, private networks with their own RPC endpoints — effectively decentralizing the frontend access layer.
Lessons Learned
The Velodrome and Aerodrome incident underscores a fundamental tension in DeFi: while smart contracts can be audited, upgraded, and governed on-chain, the web interfaces that most users rely on remain dependent on centralized DNS infrastructure. A single compromised registrar employee can undermine months of security auditing and millions of dollars in development.
The attack also demonstrated the value of rapid response ecosystems. The cooperation between security firms, wallet providers, and the protocol teams themselves contained what could have been a far more damaging incident. The fact that decentralized interfaces remained operational throughout the crisis points toward a future where users might access DeFi through multiple redundant pathways rather than a single centralized domain.
User Action Required
Users who interacted with Velodrome or Aerodrome through centralized domains during the affected period should immediately revoke any token approvals granted during that window. Tools like Revoke.cash and Etherscan token approval checkers can identify suspicious permissions. Moving forward, users should consider bookmarking verified IPFS gateways or decentralized access points for critical DeFi protocols, and should always verify URLs before connecting wallets or signing transactions.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any financial decisions.
insider at the registrar is wild. $700k gone because someone got socially engineered at a dns provider. the smart contracts held fine, it was the centralized layer that failed
smart contracts held fine, DNS was the weak link. decentralized naming like ENS should be the default for defi frontends
ENS as default frontend would solve this but try getting defi users to type .eth domains instead of .finance. adoption moves slower than the hackers
social engineering an insider at a registrar is way cheaper than finding a smart contract exploit. $700K stolen for probably a few thousand in bribes. ROI on crime is insane
this is why i always bookmark the etherscan contract page directly. if the dns goes sideways at least i can still interact with the actual contracts
smart move, most people dont even know the contract address for the protocols they use daily
bookmarking the contract page is step one. step two is a hardware wallet that displays the actual destination address before you sign anything