Base’s largest decentralized exchange, Aerodrome Finance, is facing a major security threat after reporting a suspected front-end exploit affecting its main centralized domains.
The team has confirmed that attackers are hijacking DNS records to reroute users to phishing pages, creating a serious risk for anyone attempting to access the platform through its compromised URLs. While investigations continue, Aerodrome stresses that all smart contracts remain secure and unaffected. However, users are warned to stay away from the affected domains until the issue is fully resolved.
Incident Details: Front-End Attack Through DNS Hijacking
The attack targets Aerodrome’s centralized web infrastructure rather than the protocol’s underlying on-chain systems. DNS hijacking reroutes web traffic to a malicious site without users realizing that anything has changed. In this type of attack, users may load a webpage that looks identical to the real Aerodrome interface, but instead, it captures wallet data or tricks users into approving malicious transactions.
Aerodrome confirmed the exploit in a public notice and urged immediate caution. Users who visit the main domains may unknowingly land on phishing fronts controlled by the attackers. The team is treating the situation as a critical security event and has placed tight focus on shutting down the malicious routing and restoring full control.
At the moment, no official data confirms whether user losses have occurred. Investigations are active, and Aerodrome expects to share additional information as progress is made.
Centralized Domains Compromised
Aerodrome has openly stated that the following primary domains are compromised and should not be accessed until further notice:
`.finance`
`.box`
These centralized domains represent the most common entry points for everyday users. Because DNS systems operate off-chain and rely on third-party infrastructure, they remain vulnerable to takeover and spoofing in ways smart contracts are not.
The project encouraged the community to avoid visiting or interacting with either site until the issue is cleared. Many users may still default to these domains out of habit, raising the risk of falling into the phishing funnel. The warning remains firm and immediate: stay away from the main domains until the investigation concludes.
Decentralized ENS Mirrors Remain Safe
While the main domains are compromised, Aerodrome has confirmed that two decentralized ENS mirrors remain fully safe to use:
`aero.drome.eth.limo`
`aero.drome.eth.link`
These URLs resolve through decentralized naming systems rather than centralized DNS, making them resistant to this type of attack. They provide a secure route for users who still need access to Aerodrome’s platform functions while the team battles the ongoing threat.
The team recommended that anyone interacting with the platform for swaps, liquidity management, or pool positions should only use the ENS mirrors until normal access is restored. These URLs remain under the project’s full control and direct users to the authentic interface.
Smart Contracts Remain Secure
Despite the alarming nature of the attack, Aerodrome made it clear that the platform’s core systems, including its smart contracts, are completely secure. The front-end breach affects only how the interface loads and where it resolves from. The DeFi infrastructure, pools, funds, and contract-level logic are untouched and remain safe on-chain.
This separation means user funds in the protocol are not automatically at risk unless someone signs a malicious transaction after interacting with the fake site. The contracts themselves still function correctly, and no exploit has breached the protocol’s treasury or liquidity reserves.
Update: centralized domains (.finance and .box) remain compromised. Please do not use either domain for now.
Two decentralized mirrors remain safe to use:https://t.co/7U8yRQs1Lihttps://t.co/mnbqM27GdS
All smart contracts remain secure.
We’ll provide further updates as the… https://t.co/1VPGDnq10L
— Aerodrome (@AerodromeFi) November 22, 2025
Fast Investigation and Reassurance to Users
The Aerodrome team has moved quickly to alert the community. Communication has remained active, clear, and direct. The project published multiple warnings and is continuing to update users as progress develops. The focus is on:
- Cutting off the malicious routing
- Regaining full DNS control
- Confirming whether losses occurred
- Restoring safe access to normal domains
- Maintaining transparency throughout the process
The team has also assured users that no rushed actions are necessary unless they interacted with the compromised domains during the phishing period. Those who did should review recent wallet approvals, transaction histories, and connection logs.
Why DNS Attacks Matter in DeFi
The incident highlights a growing challenge for decentralized platforms: even when on-chain systems are secure, Web2 infrastructure can still be targeted. DNS attacks are especially problematic because they do not require hacking the project’s servers or ownership records. They compromise the access layer, the part users interact with first.
This attack format is not new in crypto. Projects can encrypt smart contracts, use multisigs, audits, and on-chain security systems, yet a simple DNS compromise can temporarily bypass all of that if users engage with the wrong interface.
Aerodrome’s response demonstrates a shift already happening in DeFi. More teams are preparing decentralized front-end mirrors and ENS routes to reduce single points of failure and improve resilience. In this case, the ENS backups ensured Aerodrome users could continue interacting with the protocol safely without risk of falling into fake sites.
User Guidance Moving Forward
While the situation is still developing, the instructions for users remain direct and simple:
1. Do not access the `.finance` or `.box` domains.
2. Use only the decentralized ENS links if you need platform access.
3. Check wallet approvals if you interacted with the compromised site.
4. Wait for further official updates from the Aerodrome team.
This incident remains a critical reminder that even trusted Web3 platforms can face sudden attacks aimed at users rather than protocol logic.
Aerodrome Finance continues to investigate the breach and is pursuing a resolution as quickly as possible. The team has been transparent and active in guiding the community through the issue and maintaining safety around user interactions. While smart contracts and user funds remain secure on-chain, caution is required until the front-end infrastructure is fully restored.
More updates are expected as the security probe unfolds.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
