A Frontend Breach on Base: Phishing Risks and Rapid Response, On November 22, 2025, Aerodrome Finance—a leading decentralized exchange (DEX) on Coinbase’s Base network with $400 million in total value locked (TVL)—issued an urgent warning to users after detecting a suspected DNS hijacking attack that compromised its primary centralized domains.
The breach, which began approximately six hours before public alerts, allowed attackers to reroute traffic from Aerodrome’s main sites (.finance and .box) to phishing pages designed to trick users into signing malicious transactions, potentially draining assets like NFTs, ETH, USDC, and WETH. While the underlying smart contracts remain secure and unaffected, the team has suspended access to the compromised domains, recommending users switch to decentralized Ethereum Name Service (ENS) mirrors for safe interaction.
The incident, which Aerodrome confirmed as a frontend compromise rather than a protocol exploit, prompted immediate action: All centralized domains were flagged as unsafe, and the team urged users to revoke recent token approvals, avoid signing unverified transactions, and monitor wallets for suspicious activity.
Co-founder and CEO Alexander Cutler emphasized that the attack’s pattern aligned with DNS hijacking—where attackers seize domain control to redirect users—rather than a flaw in Aerodrome’s code. “This is out of our control as a team, but we’re working with top security firms to resolve it,” Cutler stated on X, also criticizing rival builders for mocking the situation during the crisis. Early reports suggest losses exceeding $1 million across affected users, though the full scope is under investigation.
This breach comes just days after Aerodrome’s merger announcement with Velodrome Finance, consolidating liquidity across Base and Optimism under the “Aero” ecosystem—a move that had propelled AERO’s price to $0.67 (+2% in the last 24 hours, despite a 21% weekly decline). The timing raises questions about whether the attack was opportunistic or targeted, but Aerodrome’s team has ruled out smart contract vulnerabilities.
Attack Details: DNS Hijacking and Phishing Tactics
DNS hijacking involves attackers gaining control of a domain’s name server records, redirecting legitimate traffic to malicious sites that mimic the original interface. In Aerodrome’s case, the compromise affected both primary domains (.finance and .box), exposing users to phishing prompts for wallet approvals that could drain connected assets. The team detected anomalous activity on its domain provider, Box Domains, and quickly isolated the issue, confirming no impact on 3DNS infrastructure (protected by multisig) or ENS-based decentralized mirrors.
Key facts from the investigation:
- Onset: Unusual domain activity flagged ~6 hours before alerts; provider notified immediately.
- Scope: Centralized domains only; smart contracts and on-chain data intact.
- Tactics: Phishing sites requested signatures for NFT/ETH/USDC/WETH drains; no reported exploits on core protocol.
- Response: Users advised to use ENS mirrors (e.g., aerodrome.eth); revoke approvals via Etherscan; monitor for unauthorized txs.
Community estimates peg losses at over $1 million in the first hour, with one developer reporting a separate drain incident requiring a custom recovery script. Aerodrome’s recent buyback program—distributing $14.2 million over 30 days—had bolstered confidence, but the breach highlights frontend risks in DeFi.
| Element | Status | Impact |
|---|---|---|
| Smart Contracts | Secure | No funds at risk on-chain |
| Centralized Domains | Compromised | Avoid .finance/.box; use ENS |
| Estimated Losses | $1M+ (1 hour) | Phishing drains; revocations urged |
| Investigation | Ongoing | Top security teams engaged |
Data from Aerodrome’s X updates and CoinDesk reports (November 22, 2025).
Broader Implications: DeFi’s Frontend Fragility
Aerodrome’s breach, while contained, exposes a persistent vulnerability in DeFi: Reliance on centralized frontends for user interfaces. ENS mirrors—decentralized alternatives leveraging Ethereum Name Service—offer a workaround, but adoption lags due to complexity. Velodrome Finance, Aerodrome’s merger partner, reported a similar issue, suggesting a possible wider attack vector on Base ecosystem domains.
In a $3.57 trillion market where DeFi TVL clings to $167 billion (+40.2% Q3 but down 21% from peaks), such incidents erode trust, especially post-2025’s $53 billion in scams. Aerodrome’s $14.2 million 30-day earnings (surpassing Pump.fun’s $8.96 million) underscore the stakes—frontend security is non-negotiable for sustained growth.
As Cutler affirmed: “The first rule of building in DeFi is that you don’t use exploits to dunk on other builders—especially for something like a DNS hijacking.” The team pledges updates via Telegram and vows to enhance domain safeguards. For users: Revoke approvals, use ENS, and stay vigilant—phishing remains DeFi’s Achilles’ heel.
In Base’s burgeoning ecosystem, Aerodrome’s response isn’t just damage control—it’s a call to arms for decentralized resilience. The breach stings, but the protocol endures. DYOR; security first.