Aerodrome Finance, the leading decentralized exchange on the Base network, confirmed it is investigating a suspected DNS hijacking attack that compromised its centralized domains.
The protocol warned users to avoid accessing its primary .finance and .box domains and instead use two secure decentralized mirrors hosted on ENS infrastructure.
The attack unfolded rapidly, with affected users reporting malicious signature requests designed to drain multiple assets, including NFTs, ETH, and USDC, through unlimited approval prompts.
While the team maintains that all smart contracts remain secure, the frontend compromise exposed users to sophisticated phishing attempts that could have drained wallets for those who weren’t carefully monitoring transaction approvals.
Aerodrome’s investigation began when the team detected unusual activity on its primary domain infrastructure approximately six hours before issuing public warnings.
The protocol immediately flagged its domain provider, Box Domains, as potentially compromised and urged the service to reach out urgently.
Within hours, the team confirmed that both centralized domains, .finance and .box, had been hijacked and remained under attacker control.
The protocol responded by shutting down access to all primary URLs while establishing two verified safe alternatives: aero.drome.eth.limo and aero.drome.eth.link.
These decentralized mirrors leverage the Ethereum Name Service, which operates independently of traditional DNS systems that are vulnerable to hijacking.
The team emphasized that smart contract security remained intact throughout the incident, containing the breach exclusively to frontend access points.
Sister protocol Velodrome faced similar threats, prompting its team to issue parallel warnings about domain security.
The coordinated nature of the warnings suggested that attackers may have systematically targeted Box Domains’ infrastructure to compromise multiple DeFi platforms simultaneously.
One affected user described encountering the malicious interface before official warnings circulated, detailing how the compromised site deployed a deceptive two-stage attack.
The hijacked frontend first requested what appeared to be a harmless signature containing only the number “1,” establishing initial wallet connection.
Immediately after this seemingly innocuous request, the interface triggered an unlimited number of approval prompts for NFTs, ETH, USDC, and WETH.
“It asked for a simple signature, then instantly tried unlimited approvals to drain NFTs, ETH, and USDC,” the user reported. “If you weren’t paying attention, you could’ve lost everything.”
The victim documented the attack through screenshots and video recordings, capturing the progression from initial signature request through multiple drain attempts.
Their investigation, conducted with AI assistance, examined browser configurations, extensions, DNS settings, and RPC endpoints before concluding that the attack pattern aligned with DNS hijacking methodology.
Another community member shared an experience with a separate, draining incident recently, describing themselves as a seasoned veteran and full-stack developer who still fell victim to sophisticated attacks.
Despite technical expertise, the user lost significant funds and spent 3 days developing a Jito bundle-based script to recover roughly 10-15% of the stolen assets through on-chain stealth operations.
The Aerodrome incident emerged during October’s unexpected security milestone, as the crypto market experienced its lowest monthly hack losses of the year.
Data from blockchain security firm PeckShield shows only $18.18 million was stolen across 15 separate incidents, representing a steep 85.7% decline from September’s $127.06 million.
Without the late-month Garden Finance exploit, total losses would have hovered near $7.18 million, the lowest single-month value since early 2023.
The largest incidents occurred at Garden Finance, Typus Finance, and Abracadabra, which collectively accounted for $16.2 million of total stolen funds.
Garden Finance, a Bitcoin peer-to-peer protocol, disclosed on October 30 that it had been exploited for more than $10 million after one of its solvers was compromised, with the breach affecting only the solver’s own inventory.
Typus Finance suffered an oracle manipulation attack on October 15 that drained roughly $3.4 million from its liquidity pools, traced to a flaw in one of its TLP contracts that caused the project’s native token to drop about 35%.
DeFi lending platform Abracadabra endured its third exploit since launch around the same time, resulting in roughly $1.8 million in MIM stablecoin losses after hackers bypassed solvency checks through a smart contract vulnerability.
