Aerodrome Finance, the largest decentralized exchange operating on Coinbase’s Base network, is investigating a suspected DNS hijacking attack that redirected users to a malicious frontend interface. The project confirmed that all smart contracts and on-chain funds remain secure, but the centralized web domains that route users to the DEX were compromised.
Frontend Domains Redirected to Malicious Clone
According to the Aerodrome team, the affected domains include their primary .finance and .box URLs. Attackers appear to have gained control over the domain registrar, enabling them to reroute visitors to a fraudulent website designed to mimic the legitimate platform.
Users who unknowingly accessed the spoofed site were reportedly prompted to sign harmful transaction approvals. These approvals could grant the attacker unlimited access to a user’s assets, including ETH, USDC, NFTs, and other tokens, potentially enabling full wallet drains.
DNS Hijacking Suspected as Attack Vector
Initial findings indicate a classic DNS hijacking attack, where adversaries alter the domain’s routing at the registrar level. This attack does not require compromising the protocol itself, only the infrastructure that directs users to it. The Aerodrome team emphasized that the DEX’s contracts are fully intact and were never breached.
A parallel warning was also issued by Velodrome, Aerodrome’s sister protocol on the Optimism network. The simultaneous alerts raise concerns that the attackers may have exploited a vulnerability affecting the domain provider used by multiple DeFi projects.
Safety Instructions for Users
The Aerodrome team issued urgent guidance to protect users from the compromised frontend:
Avoid Official .finance and .box Domains
Until the investigation is complete, users should not visit or interact with the usual Aerodrome URLs.
Utilize Decentralized ENS-Powered Mirrors
Aerodrome deployed two verified, censorship-resistant access points using the Ethereum Name Service (ENS). These alternatives bypass traditional DNS and remain safe to use:
- •aero.drome.eth.limo
- •aero.drome.eth.link
These domains are hosted through decentralized gateways, reducing reliance on centralized domain registrars vulnerable to such attacks.
Review Wallet Approvals
Users are urged to check their existing token approvals and revoke any unfamiliar or unlimited allowances. The incident serves as a reminder that malicious contracts often disguise themselves as ordinary approvals.
A Wake-Up Call for DeFi Frontend Security
While the underlying contracts on Base remain fully secure, the attack exposes the fragility of centralized domain layers that sit above decentralized protocols. As DeFi expands across networks like Base and Optimism, ensuring secure and redundant access points is increasingly essential.
Aerodrome’s investigation is ongoing, and the team expects to issue further updates as they work to restore full frontend integrity.