Base’s Top Dex Aerodrome Hit By A Suspected Frontend Security Breach

What Happened

Aerodrome Finance, the leading decentralized exchange on the Base network, confirmed it is investigating a suspected DNS hijacking attack that compromised its centralized domains.

Aerodrome’s investigation began when the team detected unusual activity on its primary domain infrastructure approximately six hours before issuing public warnings.

Their investigation, conducted with AI assistance, examined browser configurations, extensions, DNS settings, and RPC endpoints before concluding that the attack pattern aligned with DNS hijacking methodology.

October Records Lowest Crypto Hack Losses of the Year

The Aerodrome incident emerged during October’s unexpected security milestone, as the crypto market experienced its lowest monthly hack losses of the year.

Market Context

The victim documented the attack through screenshots and video recordings, capturing the progression from initial signature request through multiple drain attempts.

Why It Matters

While the team maintains that all smart contracts remain secure, the frontend compromise exposed users to sophisticated phishing attempts that could have drained wallets for those who weren’t carefully monitoring transaction approvals.

The coordinated nature of the warnings suggested that attackers may have systematically targeted Box Domains’ infrastructure to compromise multiple DeFi platforms simultaneously.

“It asked for a simple signature, then instantly tried unlimited approvals to drain NFTs, ETH, and USDC,” the user reported. “If you weren’t paying attention, you could’ve lost everything.”

Details

The protocol warned users to avoid accessing its primary .finance and .box domains and instead use two secure decentralized mirrors hosted on ENS infrastructure.

The attack unfolded rapidly, with affected users reporting malicious signature requests designed to drain multiple assets, including NFTs, ETH, and USDC, through unlimited approval prompts.

DNS Hijacking Forces Emergency Protocol Lockdown

The protocol immediately flagged its domain provider, Box Domains, as potentially compromised and urged the service to reach out urgently.

Within hours, the team confirmed that both centralized domains, .finance and .box, had been hijacked and remained under attacker control.

The protocol responded by shutting down access to all primary URLs while establishing two verified safe alternatives: aero.drome.eth.limo and aero.drome.eth.link.

These decentralized mirrors leverage the Ethereum Name Service, which operates independently of traditional DNS systems that are vulnerable to hijacking.

The team emphasized that smart contract security remained intact throughout the incident, containing the breach exclusively to frontend access points.

Sister protocol Velodrome faced similar threats, prompting its team to issue parallel warnings about domain security.

Users Report Aggressive Multi-Asset Drain Attempts

One affected user described encountering the malicious interface before official warnings circulated, detailing how the compromised site deployed a deceptive two-stage attack.

The hijacked frontend first requested what appeared to be a harmless signature containing only the number “1,” establishing initial wallet connection.

Immediately after this seemingly innocuous request, the interface triggered an unlimited number of approval prompts for NFTs, ETH, USDC, and WETH.

Another community member shared an experience with a separate, draining incident recently, describing themselves as a seasoned veteran and full-stack developer who still fell victim to sophisticated attacks.

Despite technical expertise, the user lost significant funds and spent 3 days developing a Jito bundle-based script to recover roughly 10-15% of the stolen assets through on-chain stealth operations.