Aerodrome Finance, the leading decentralized exchange (DEX) on Base’s blockchain network, suffered a DNS hijacking attack targeting its centralized domains (`.finance` and `.box`). The breach exposed users to sophisticated phishing attempts via malicious signature requests designed to drain wallets of NFTs, ETH, USDC, and WETH through unlimited approval prompts. While the team confirmed that smart contracts remained secure, the frontend compromise allowed attackers to deploy deceptive interfaces first tricking users into signing a harmless-looking message (e.g., the number '1'), then instantly triggering drain transactions. Users who failed to scrutinize approvals risked losing their entire wallet balances. Aerodrome responded by shutting down compromised domains and directing users to decentralized mirrors (ENS-based URLs) while investigating the incident. The attack leveraged vulnerabilities in Box Domains’ infrastructure, suggesting a broader, coordinated threat against DeFi platforms. No confirmed losses were quantified in the report, but the exploit aligns with phishing-driven asset drainage, a high-risk vector in DeFi security.
Source: https://cryptonews.com/news/bases-top-dex-aerodrome-hit-by-a-suspected-frontend-security-breach/
Dromos Labs cybersecurity rating report: https://www.rankiteo.com/company/dromoslabs
"id": "DRO2295022112225",
"linkid": "dromoslabs",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown (users interacting with '
'.finance/.box domains during '
'breach window)',
'industry': 'DeFi (Decentralized Finance)',
'location': 'Base Network (Ethereum L2)',
'name': 'Aerodrome Finance',
'type': 'Decentralized Exchange (DEX)'},
{'customers_affected': 'Potential (due to parallel '
'warnings)',
'industry': 'DeFi',
'location': 'Optimism Network',
'name': 'Velodrome Finance',
'type': 'Decentralized Exchange (DEX)'},
{'industry': 'Web Infrastructure',
'name': 'Box Domains',
'type': 'Domain Provider'}],
'attack_vector': ['DNS Spoofing/Hijacking',
'Malicious Signature Requests',
'Unlimited Approval Prompts'],
'customer_advisories': 'https://twitter.com/AerodromeFi (Real-Time Updates)',
'data_breach': {'data_exfiltration': ['Potential (via Malicious Approvals)',
'No Confirmed Large-Scale Drain'],
'personally_identifiable_information': ['Wallet Addresses '
'(via Signatures)'],
'sensitivity_of_data': 'High (Financial Transaction '
'Approvals)',
'type_of_data_compromised': ['Wallet Signatures',
'Transaction Approval Data']},
'date_detected': '2025-11-22T00:00:00Z (approximately 6 hours before public '
'disclosure)',
'date_publicly_disclosed': '2025-11-22T00:00:00Z',
'description': 'Aerodrome Finance, the leading decentralized exchange (DEX) '
'on the Base network, confirmed a DNS hijacking attack that '
'compromised its centralized domains (.finance and .box). The '
'attack exposed users to phishing attempts targeting NFTs, '
'ETH, USDC, and WETH through malicious signature requests '
'(e.g., unlimited approval prompts). While smart contracts '
'remained secure, the frontend compromise risked wallet drains '
'for users who approved transactions. Aerodrome urged users to '
'avoid the compromised domains and use decentralized mirrors '
'(ENS-based: aero.drome.eth.limo and aero.drome.eth.link) '
'until the issue was resolved. The incident occurred amid a '
'broader decline in crypto hack losses in October 2025, though '
'it highlighted vulnerabilities in DNS infrastructure and DeFi '
'frontend security.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in Frontend Security',
'Highlighted Vulnerabilities in DeFi '
'DNS Infrastructure'],
'customer_complaints': ['Reports of Near-Losses via Phishing',
'User Distrust in Domain Security'],
'data_compromised': ['Wallet Connection Data (via Signature '
'Requests)',
'Transaction Approval Metadata'],
'downtime': ['Primary Domains Indefinitely (until resolution)',
'User Access Restricted to Decentralized Mirrors'],
'identity_theft_risk': ['Potential (via Malicious Signatures)',
'Wallet Drain Risks'],
'operational_impact': ['Emergency Protocol Lockdown',
'Domain Provider (Box Domains) '
'Investigation',
'Parallel Warnings from Sister Protocol '
'(Velodrome)'],
'payment_information_risk': ['ETH/USDC/WETH/NFT Approval Exploits'],
'systems_affected': ['Centralized Domains (.finance, .box)',
'Frontend Interface']},
'initial_access_broker': {'entry_point': 'DNS Hijacking (Box Domains '
'Infrastructure)',
'high_value_targets': ['Aerodrome Finance Users',
'Velodrome Finance '
'(Potential)']},
'investigation_status': 'Ongoing (as of 2025-11-22)',
'lessons_learned': ['DNS Infrastructure as a Critical Attack Vector in DeFi',
'Need for Decentralized Frontend Redundancy (e.g., ENS '
'Mirrors)',
'User Education on Malicious Signature Requests',
'Rapid Response Protocols for Domain Compromises'],
'motivation': ['Financial Gain (Asset Drain)', 'Exploitation of DeFi Users'],
'post_incident_analysis': {'corrective_actions': ['Migration to Decentralized '
'Frontend Hosting (ENS)',
'Enhanced DNS Security '
'Protocols',
'User Awareness Campaigns '
'on Phishing Tactics'],
'root_causes': ['DNS Provider Vulnerability (Box '
'Domains)',
'Lack of Frontend Redundancy '
'(Over-Reliance on Centralized '
'Domains)',
'User Susceptibility to Social '
'Engineering (Signature '
'Requests)']},
'recommendations': ['Adopt Multi-Layered DNS Security (e.g., DNSSEC, '
'Decentralized Alternatives)',
'Implement Frontend Transaction Simulators to Warn Users '
'of Suspicious Approvals',
'Regular Audits of Domain Registrars/Providers',
'Cross-Protocol Collaboration for Threat Intelligence '
'Sharing (e.g., Velodrome Parallel Warnings)'],
'references': [{'date_accessed': '2025-11-22',
'source': 'Aerodrome Finance (Twitter)',
'url': 'https://twitter.com/AerodromeFi/status/XXXXXX'},
{'date_accessed': '2025-11-22',
'source': 'Mynimal Monster (Twitter - User Report)',
'url': 'https://twitter.com/MynimalM/status/XXXXXX'},
{'date_accessed': '2025-10-30',
'source': 'Cryptonews.com (Garden Finance Exploit Context)',
'url': 'https://cryptonews.com/news/garden-finance-loses-10-8-million-in-exploit.htm'},
{'date_accessed': '2025-11-01',
'source': 'PeckShield (October 2025 Hack Data)'}],
'response': {'communication_strategy': ['Real-Time Twitter Updates',
'Clear Instructions to Avoid '
'Compromised Domains',
'Transparency About Smart Contract '
'Security'],
'containment_measures': ['Shutdown of Compromised Domains '
'(.finance, .box)',
'Redirection to Decentralized Mirrors '
'(aero.drome.eth.limo, '
'aero.drome.eth.link)'],
'enhanced_monitoring': ['Post-Incident DNS/Frontend '
'Surveillance'],
'incident_response_plan_activated': True,
'remediation_measures': ['DNS Provider Investigation',
'Public Warnings via Social Media'],
'third_party_assistance': ['Box Domains (Domain Provider)',
'ENS (Ethereum Name Service) for '
'Decentralized Mirrors']},
'stakeholder_advisories': ['Avoid Compromised Domains',
'Use ENS Mirrors',
'Monitor Wallet Approvals'],
'title': 'Base’s Top DEX Aerodrome Hit by a Suspected Frontend Security '
'Breach via DNS Hijacking',
'type': ['DNS Hijacking',
'Phishing',
'Frontend Compromise',
'Social Engineering'],
'vulnerability_exploited': ['DNS Infrastructure Weakness (Box Domains)',
'Frontend Access Control',
'User Trust in Signature Requests']}