In November 2025, Aerodrome Finance, Base’s largest decentralized exchange (DEX), was the target of a DNS hijacking attack. By using DNS to redirect users to a phishing site, the attacker was able to steal over a million dollars from their wallets in the space of a few hours.
Inside the Attack
The Domain Name System (DNS) is one of the fundamental protocols of the Internet, translating domain names (like halborn.com) into IP addresses. To visit a website, a browser will send a query to a domain name server to retrieve the record containing the IP address of the target site.
In a DNS hijacking attack, an attacker modifies a DNS record to point to their own, malicious site. In this case, Aerodrome Finance’s DNS records for its .box and .finance domains, managed by Box Domains, were edited to direct traffic to a malicious copy of its legitimate Web2 frontend. The root cause of the incident was found to be an insider threat at NameSilo.
When users visited these sites, they were prompted to connect their wallets and digitally sign a transaction that appeared to be just the number “1”. However, it was followed by a series of unlimited approval requests for various assets. If the user digitally signed transactions containing these approvals, the attacker could then use them to drain ETH, WETH, USDC, and other approved tokens from their wallets. It’s estimated that over $1 million was drained from user wallets within an hour.
This attack targeted Aerodrome Finance’s Web2 frontends and the DNS infrastructure that they rely upon. After discovering the attack, the DEX warned users and directed them to two safe mirrors of the interface, which used the decentralized Ethereum Name Service (ENS), rather than DNS.
Lessons Learned from the Attack
The Aerodrome Finance incident shows how Web3’s reliance on Web2 infrastructure and websites creates security risks for projects. In this case, an attack targeting the DEX’s DNS records allowed attackers to deploy highly realistic phishing sites using real project URLs. This demonstrates the value of the ENS and decentralized, more secure versions of traditional Internet infrastructure.
For users, this attack serves as a warning about the importance of carefully reviewing all details of a transaction before signing and being wary of connecting a wallet to a site. In this case, the phishing site sent many spam requests for unlimited approvals in the hope that a user would approve them without realizing the risk.
DeFi projects can implement various security controls to help shield their users from these types of threats, like replacing DNS with ENS. For advice on how to best manage security risks for your project and its users, get in touch.