How Blockaid’s Customer Data Network Contained the Aerodrome DNS Attack

The Incident

On November 21, Aerodrome and Velodrome experienced a DNS attack that compromised their primary frontend domains.

An attacker modified the SOA, NS, and A records for aerodrome.finance and velodrome.finance, redirecting both domains to a cloned frontend serving Eleven Drainer code. The underlying smart contracts and protocol logic were not exploited. The risk existed entirely at the DNS and frontend layer, where users trust interfaces to be authentic.

Timeline (UTC):

• 20:11 — DNS records are changed, redirecting both domains to a spoofed UI
  
• 21:31 — Blockaid detects malicious transaction patterns across its customer network
  
• 21:32 — The domain is classified as malicious and the signal is propagated network-wide
  
• 22:07 — The first Aerodrome user report arrives, pointing to injected malicious code
  
• 22:40 — Nameservers are replaced as remediation begins

Blockaid identified and classified the compromise before the first public user report surfaced.

Loss Prevention through Blockaid’s Customer Data Network

Blockaid detected the compromise by correlating malicious transaction activity observed across its Customer Data Network.

Once the domain was classified as malicious, that signal was immediately propagated to Blockaid-integrated partners. Wallets and platforms across the ecosystem began surfacing warnings to users interacting with Aerodrome’s frontend, including MetaMask, Coinbase Wallet, Ledger, Trezor, Rainbow, and Fireblocks.

During the incident:

• 408 users were warned while connecting their wallet
  
• 491 users were warned while actively signing transactions
  
• Approximately $3.5M in funds were prevented from being drained
  

Blockaid also traced the attacker’s onchain behavior, identifying nine attacker-controlled addresses tied to ~$700K in stolen funds. These losses came from users outside Blockaid’s network, who could not be warned in time.

How Blockaid’s Customer Data Network Powers Detection

Blockaid’s Customer Data Network is a core input to its threat intelligence engine, providing proprietary detection signals at ecosystem scale.

Through integrations with over 90% of major Web3 wallets, Blockaid simulates and validates 500M+ onchain wallet transactions every month. Each interaction — including transaction intents, signature requests, dApp connections, and execution outcomes — produces real-time signals that feed directly into Blockaid’s detection pipeline.

These signals are continuously correlated across the network and validated against onchain execution behavior. When a pattern is classified as malicious — such as a compromised domain, malicious dApp, or attacker-controlled address — that classification is immediately propagated to all connected customers.

The result is a compounding network effect: threats detected in one place become protection everywhere else, and every new customer improves detection accuracy for the entire network.

Reach out to Blockaid’s for a demo to our end-to-end security platform, and follow us on our social channels or subscribe to our Telegram channel for real-time security updates.

Website | LinkedIn | X