Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
Aerodrome Finance, the foremost decentralized exchange on the Base network, has confirmed that it is looking into a suspected DNS hijacking incident that has compromised its centralized domains.
The protocol has advised users to refrain from accessing its main .finance and .box domains and to utilize two secure decentralized mirrors hosted on ENS infrastructure instead.
The attack occurred swiftly, with affected users reporting malicious signature requests aimed at draining various assets, including NFTs, ETH, and USDC, through unlimited approval prompts.
While the team asserts that all smart contracts are secure, the frontend compromise has exposed users to advanced phishing attempts that could have emptied wallets for those who were not closely monitoring transaction approvals.
We are actively investigating a frontend compromise.
Please refrain from accessing the site via any URL — primary domain or decentralized mirrors — until we confirm that everything is secure.
All smart contracts appear to be secure. Updates will follow.— Aerodrome (@AerodromeFi) November 22, 2025
DNS Hijacking Triggers Emergency Protocol Lockdown
Aerodrome’s investigation commenced when the team identified unusual activity on its primary domain infrastructure roughly six hours prior to issuing public alerts.
The protocol promptly flagged its domain provider, Box Domains, as potentially compromised and urged the service to respond urgently.
Within hours, the team verified that both centralized domains, .finance and .box, had been hijacked and remained under the control of the attackers.
The protocol reacted by disabling access to all primary URLs while establishing two verified safe alternatives: aero.drome.eth.limo and aero.drome.eth.link.
Update: centralized domains (.finance and .box) remain compromised. Please do not use either domain for the time being.
Two decentralized mirrors are safe to use: https://t.co/7U8yRQs1Li https://t.co/mnbqM27GdS
All smart contracts remain secure.
We will provide further updates as the… https://t.co/1VPGDnq10L— Aerodrome (@AerodromeFi) November 22, 2025
These decentralized mirrors utilize the Ethereum Name Service, which functions independently of conventional DNS systems that are susceptible to hijacking.
The team highlighted that the security of smart contracts remained intact throughout the incident, confining the breach solely to frontend access points.
The sister protocol Velodrome encountered similar threats, prompting its team to issue concurrent warnings regarding domain security.
The coordinated nature of the alerts indicated that attackers may have systematically targeted Box Domains’ infrastructure to compromise multiple DeFi platforms simultaneously.
Users Report Aggressive Multi-Asset Drain Attempts
One affected user recounted encountering the malicious interface prior to the official warnings being issued, describing how the compromised site executed a deceptive two-stage attack.
Related Posts
The hijacked frontend initially requested what seemed to be a harmless signature containing only the number “1,” establishing the initial wallet connection.
Immediately following this seemingly benign request, the interface triggered an unlimited number of approval prompts for NFTs, ETH, USDC, and WETH.
“It requested a simple signature, then instantly attempted unlimited approvals to drain NFTs, ETH, and USDC,” the user reported. “If you weren’t vigilant, you could have lost everything.”
The victim documented the attack through screenshots and video recordings, capturing the sequence from the initial signature request to multiple drain attempts.
Before these unlimited approval prompts, the hijacked site first asked me to sign a harmless-looking message with just “1”.
Right after, it triggered approvals to drain NFTs, ETH, USDC, WETH, everything.
If you weren’t paying attention, you could lose your whole wallet instantly. pic.twitter.com/bJxFazMEvn— Mynimal Monster (@MynimalM) November 22, 2025
Their investigation, aided by AI, examined browser configurations, extensions, DNS settings, and RPC endpoints before concluding that the attack pattern was consistent with DNS hijacking techniques.
Another community member shared an experience with a different draining incident recently, identifying themselves as a seasoned veteran and full-stack developer who still fell victim to sophisticated attacks.
Despite their technical expertise, the user lost a significant amount of funds and spent three days developing a Jito bundle-based script to recover approximately 10-15% of the stolen assets through on-chain stealth operations.
October Records Lowest Crypto Hack Losses of the Year
The Aerodrome incident occurred during October’s unexpected security milestone, as the crypto market recorded its lowest monthly hack losses of the year.
Data from blockchain security firm PeckShield indicates that only $18.18 million was stolen across 15 separate incidents, marking a significant 85.7% decrease from September’s $127.06 million.
Excluding the late-month Garden Finance exploit, total losses would have been around $7.18 million, the lowest single-month figure since early 2023.
The largest incidents took place at Garden Finance, Typus Finance, and Abracadabra, which together accounted for $16.2 million of the total stolen funds.
Garden Finance loses $10.8 million in exploit as on-chain data shows over 25% of platform volume linked to stolen funds from major security breaches.#Crypto #Bitcoin #Exploithttps://t.co/Tb8zYW8oPH
— Cryptonews.com (@cryptonews) October 30, 2025
Garden Finance, a Bitcoin peer-to-peer protocol, revealed on October 30 that it had been exploited for over $10 million after one of its solvers was compromised, with the breach affecting only the solver’s own inventory.
Typus Finance experienced an oracle manipulation attack on October 15 that drained approximately $3.4 million from its liquidity pools, traced to a flaw in one of its TLP contracts that caused the project’s native token to decline by about 35%.
DeFi lending platform Abracadabra faced its third exploit since launch around the same period, resulting in approximately $1.8 million in MIM stablecoin losses after hackers circumvented solvency checks through a smart contract vulnerability.
The post Base’s Top DEX Aerodrome Hit by a Suspected Frontend Security Breach appeared first on Cryptonews.
