On November 21st, the centralized domains of both Velodrome and Aerodrome were hijacked and directed to malicious content. This attack was caught and mitigated quickly with the support of our security partners — and a plan for how to move forward is now ready. 👇

TL;DR • The root was an internal security breach at NameSilo • Decentralized domains remain secure and operational • Centralized domains with new infra go live next week • Five leading security firms were consulted • Users affected by malicious domains qualify for grants

As the industry has grown, attacks on the centralized domain infrastructure of DeFi protocols have become tragically common. In just the last few years, dozens of top projects have suffered centralized domain attacks from threat actors.

The most common vector for DNS attacks is the social engineering, or compromising, of centralized domain management services. That is why after consulting with industry leaders we opted to utilize 3DNS which was designed to limit such vectors via multisig control.

While this should have been a security upgrade over even the most robust centralized services, who are only as strong as their weakest human link, it is now clear that that attack vectors in this model remained present.

According to our partners at 3DNS and NameSilo, who are still actively investigating, multisig control was circumvented. DNSSEC was removed from both domains and a compromised insider at NameSilo was able to redirect the domains to malicious pages.

Thanks to the quick actions of @Blockaid_, @0xGroomLake, @_SEAL_Org, and @FTIConsulting, the attacks were mitigated quickly. Within 2 minutes of the first known malicious transaction, major wallets such as Metamask and Coinbase Wallet were displaying warnings.

Taking into account the varying propagation times of fixes, the attack was fully mitigated in under 4 hours - and its impact was limited to approximately $700,000 lost by users who connected and signed transactions on the malicious site while it was still active.

Since the attack, 3DNS and NameSilo have been both cooperative and transparent -- and are continuing to investigate root causes and overhauls of their own practices to prevent future issues. We continue to believe in the future of a robust and secure decentralized domain stack.

However on the advice of our security partners, we have chosen to not bring back up the centralized domains on the same infrastructure. We appreciate the patience of users of Velodrome and Aerodrome here.

Currently, we are working with our security advisors and executives of some of the top enterprise registrars in order to deliver a solution that meets the unique requirements of one DeFi's most prominent applications. We expect domains to migrate and re-open next week.

We also plan to give security focused teams the option to download and run the dApps in a fully self-hosted fashion. This means users will be able to use Velodrome and Aerodrome behind firewalled and private networks with their own RPC endpoints.

Additionally, the Aero + Velo Foundations are working on a plan to offer grants to users proportional to their losses in signing malicious transactions. These programs will be subject to verification requirements. For now if you were impacted, please open a ticket in Discord.

For a full timeline of the attack, please review the full report hosted on IPFS that is linked below: