Credshields

Discover

Hack Analysis Security Deep Dives

Aerodrome/Velodrome Front-End Breach: Understanding the Web2 Attack Surface in Web3 Protocols

By Shreya Berry

On November 22, 2025, Aerodrome (the leading DEX on Base) and Velodrome (the leading DEX on Optimism) suffered coordinated front-end compromises caused by a DNS hijack of their centralized domains. Users were silently redirected to phishing interfaces that attempted to drain wallets via malicious signature flows and unlimited approval prompts. Smart contracts and protocol liquidity remained intact.

The incident is a repeat pattern. Both protocols experienced a similar DNS level attack in November 2023, which on-chain investigators estimated resulted in six-figure user losses.

What Happened?

2.1 High level timeline

Public reporting and project communications point to the following sequence:

Early 22 November 2025 (ET):
Aerodrome and Velodrome detect anomalies on their centralized domains and begin investigating suspected DNS hijacks.

22 November, mid-day:

Both teams post on X that their front-ends have been compromised through DNS, and they urge users to avoid the main domains (for example aerodrome.finance, aerodrome.box, velodrome.finance, velodrome.box)

Same day, afternoon:

Fraudulent sites that had been loading earlier in the day stop resolving, suggesting registrars and the projects have begun to regain control of DNS records.

Ongoing:

Teams continue to advise users to interact only via decentralized ENS based mirrors, and to revoke any suspicious token approvals. A full post-mortem has not yet been published at the time of writing.

2.2 Affected components

Compromised:

  • Centralized DNS records for primary domains
  • Hosted front-end websites behind those domains

Explicitly not compromised:

  • On-chain smart contracts and liquidity pools
  • Protocol treasuries and core logic

Both Aerodrome and Velodrome repeatedly emphasized that smart contracts remained secure and that the incident was isolated to the web front-end layer.

Technical Root Cause: DNS Hijack and Front-end Phishing

3.1 DNS hijacking of centralized domains

Reporting from CoinDesk, The Block, Cryptonews and community threads is consistent on the core root cause: attackers gained control of DNS records for the .finance and .box domains associated with Aerodrome and Velodrome.

A DNS hijack at this layer means:

  1. Users type in the correct URL, for example aerodrome.finance.
  2. DNS resolution no longer points to the legitimate front-end, but to attacker controlled infrastructure.
  3. The browser loads a pixel perfect clone of the real app, but all transaction requests go to malicious contracts or scripted flows.

Reddit incident reports align with this description and attribute the hijack to a compromise at Box Domains, the domain provider used by Aerodrome.

3.2 Malicious transaction flow

Users and journalists describe a two stage phishing pattern served from the hijacked Aerodrome interface:

Harmless looking signature bait

  • The fake UI first requested a simple message signature, reportedly containing only the value 1.
  • This creates a sense of safety because it is a non-state-changing signature.

Unlimited approval cascade

  • Immediately after the initial signature, the site fired multiple approval prompts.
  • Approvals targeted NFTs, ETH, USDC, WETH and other assets, with unlimited spend permissions.
  • If a user accepted these prompts without close review, the attacker gained the ability to transfer those assets out of the wallet.

Cryptonews quotes an affected user who documented this behavior through screenshots and video, and describes how the sequence could drain an entire wallet if the user was inattentive.

3.3 Smart contracts unaffected

Across communications:

  • Aerodrome stated that audits and on-chain components remained intact and that the issue was limited to centralized domains and front-end access points.
  • The Block similarly reports that both protocols assured users that underlying smart contracts were not impacted.

This matches the threat model. DNS level attacks typically sit entirely off-chain, and succeed by exploiting user trust in URLs and UI, not by altering contract bytecode.

Impact and exposure

4.1 User losses

At the time of writing, there is not yet a consolidated, official loss figure for the November 22 incident:

  • CoinDesk notes that it remains unclear how many users, if any, suffered losses, and that on-chain impact is still being assessed.
  • Cryptonews and community reports focus on the mechanics of the unlimited approval drain attempts rather than final loss numbers.

In contrast, coverage of the November 29, 2023 Aerodrome and Velodrome DNS attack, referenced by FinanceFeeds and The Block, cites on-chain investigator ZachXBT who estimated user losses above 100 thousand dollars in that event.

For this 2025 incident, any concrete loss number should be treated as provisional until:

  • The teams publish a full post-mortem, and
  • Independent investigators correlate approvals and drains associated with the malicious front-ends.

4.2 Protocol and ecosystem risk

Even without confirmed loss totals, the risk profile is significant:

  • Aerodrome is the dominant DEX on Base, with hundreds of millions of dollars in TVL and a central role in routing and liquidity incentives.
  • Velodrome plays a similar role on Optimism and the broader Superchain, acting as the primary liquidity hub.

A coordinated DNS hijack against both platforms creates:

  • High exposure to retail users who trust the top DEX URL.
  • Knock-on risk for protocols that route trades or incentives through these DEXs.
  • Perception risk during a sensitive period, since Dromos Labs is actively preparing to merge Aerodrome and Velodrome into a unified Aero platform with a single AERO token.

Project Response

5.1 Immediate containment

Project teams took several actions once the attack was confirmed:

  1. Public warnings on X
    • Aerodrome and Velodrome both notified users of a DNS hijack and a front-end compromise, and explicitly told users not to use the .finance and .box domains.
  2. Shift to ENS based mirrors
    • Aerodrome published two decentralized mirror URLs: aero.drome.eth.limo and aero.drome.eth.link.
    • These ENS based gateways bypass traditional DNS and are resolved through Ethereum Name Service infrastructure instead.
  3. Registrar escalation
    • Aerodrome publicly tagged Box Domains and asked them to investigate their systems.
    • Velodrome initially mentioned My.box as a provider and requested urgent contact, although that post was later deleted.
  4. User hygiene guidance
    • Users were advised to revoke recent token approvals with tools such as Revoke.cash and to avoid signing any transactions presented by unverified domains.

5.2 Restoration and current status

FinanceFeeds and The Block both report that, by later in the day, the malicious pages stopped loading and that a fix appeared to be in progress at the DNS level.

Until the teams fully stabilize ownership and configuration of their primary domains, the safest route for users remains:

  • Verified ENS mirrors
  • Direct contract interaction through reputable aggregators or manually imported contract addresses

Why this Attack Keeps Repeating

The 2025 hijack closely mirrors the November 2023 event that took down Aerodrome and Velodrome front-ends. In that earlier incident:

  • Both DEXs suffered DNS level compromise.
  • ZachXBT traced the issue to registrar Porkbun and estimated losses above 100 thousand dollars

The recurrence highlights an uncomfortable reality for DeFi:

  • Protocols can harden smart contracts, adopt formal verification, and secure treasuries.
  • However they still often rely on traditional Web2 infrastructure for domains, DNS, and hosting.
  • Attackers will continue to target these weaker, centralized dependencies.

For Aerodrome and Velodrome, this pattern is especially problematic given they are currently preparing to merge into Aero and position themselves as a unified liquidity engine for Base and Optimism.

Security lessons for DeFi teams

From a security consulting perspective, the Aerodrome and Velodrome incident reinforces several practical lessons.

7.1 Treat DNS and domains as critical infrastructure

  • Use registrars that support strong security features such as mandatory multi-factor authentication, hardware key enforcement and DNSSEC
  • Restrict registrar account access, apply strict role separation and activity alerts
  • Monitor DNS record changes continuously and alert on unexpected modifications to A, CNAME or NS records for production domains

7.2 Reduce trust in centralized front-ends

  • Maintain ENS domains and IPFS based deployments as first class citizen access paths, not only as backups
  • Encourage power users to bookmark ENS based gateways and verify checksums or IPFS content hashes
  • Consider serving critical transaction flows through audited, version pinned front-end bundles that are verifiable on chain or via content addressing

7.3 Harden transaction UX

Given the attack relied on users signing a harmless looking message followed by unlimited approvals:

  • Design front-ends to highlight risk levels for approvals, particularly unlimited allowances
  • Provide in-app warnings if a transaction originates from a non-canonical domain or an unverified origin
  • Integrate on-chain security tooling that flags suspicious approval patterns before prompting the user

7.4 Incident playbooks and communication

The coordinated X updates, ENS mirrors and revocation guidance from Aerodrome and Velodrome are directionally correct. For future incidents, teams should further formalize:

  • Pre drafted templates for “front-end compromised, contracts safe” scenarios
  • Clear, plain language instructions for non technical users on revoking approvals and checking wallet exposure
  • Dedicated status pages that document incident progress independent from the main domain

Recommendations for users

If a user interacted with Aerodrome or Velodrome around the incident window and is unsure about their exposure, they should:

  1. Stop using the main .finance and .box domains until the projects declare them safe
  2. Review and revoke approvals for NFTs and tokens via tools such as Revoke.cash for any recent activity that may have gone through hijacked front-ends
  3. Prefer ENS mirrors such as aero.drome.eth.limo or direct contract interaction via trusted aggregators
  4. Monitor wallets for unexpected token movements, and move assets to a fresh address if there is any sign of compromise

Takeaways for the industry

The Aerodrome and Velodrome DNS hijack is not a failure of smart contract security. It is a failure at the interface between Web2 and Web3. As more capital flows into L2 ecosystems and real yields, adversaries increasingly focus on:

  • DNS, registrars and TLS termination
  • Wallet UX patterns that normalize frequent signing
  • The blind trust users place in a familiar URL

Until DeFi adopts resilient, decentralized access layers by default and treats DNS as high-value infrastructure, front-end compromises of this kind will keep repeating.

Additional Read: https://discover.credshields.com/inside-the-port3-exploit-how-a-cross-chain-ownership-bug-enabled-a-billion-token-mint/

Our Services

https://credshields.com/smart-contract-audits

https://credshields.com/dapp-protocol-security

https://credshields.com/blockchain-security

By Shreya Berry

Related Post

Security Deep Dives

Inside the Port3 Exploit: How a Cross-Chain Ownership Bug Enabled a Billion-Token Mint

Shreya Berry

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

Hack Analysis Security Deep Dives

Aerodrome/Velodrome Front-End Breach: Understanding the Web2 Attack Surface in Web3 Protocols

Security Deep Dives

Inside the Port3 Exploit: How a Cross-Chain Ownership Bug Enabled a Billion-Token Mint

Thought Leadership & Trends

The Missing Layer in AppSec: Web3

Case Studies & Audits

Boosting Performance and Reducing Costs: Smart Contract Optimization for a 50,000+ User NFT Marketplace