DNS/CDN/frontend hash drift
Aerodrome Finance's assessment for RD-F-105 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
6B exploit-in-progress: DNS/CDN/frontend hash drift. Phase-2 signal; external monitoring stack not deployed. POSTURE IS HIGH RISK: three documented frontend/DNS compromises in ~21 months (2023 ×2, 2025-11-21). The 2025-11-21 NameSilo insider-threat attack involved DNSSEC removal and domain redirect to phishing site; ~$700K–$1M lost; 4-hour remediation window. ENS mirrors (aero.drome.eth.limo, aero.drome.eth.link) established as safer alternatives. Primary domain aerodrome.finance remains active and carries ongoing DNS attack surface. If monitoring were live, the Nov 2025 incident would have fired tier-A instantly. Scored yellow (not red) because signal is not actively firing today — but posture is red-adjacent and this is the highest-priority Cat 6 signal for this protocol.
Sources #
- URLAerodrome Finance Frontend Attack — CoinDeskCoinDesk: 'Aerodrome Finance Hit by Front-End Attack, Users Urged to Avoid Main Domain' (2025-11-22) — DNS hijack via NameSilo insider threat, DNSSEC removed, ~$700K lossesretrieved 2026-05-04
- Aerodrome 2023 Frontend Attack — Yahoo FinanceYahoo Finance: 2023-11-29 Porkbun registrar frontend compromise; ~$100K lossretrieved 2026-05-04
- Aerodrome/Velodrome NameSilo Hack Post-MortemIncrypted: NameSilo hack post-mortem — DNSSEC removed by insider at NameSilo; 4-hour attack window; $700K documented losses; migration to corporate registrars announcedretrieved 2026-05-04
Methodology #
Detect whether the hash of production frontend JS changes versus the prior published hash, or a DNS config change is detected.
See the full factor methodology and distribution across all protocols →