Aave hacked via periphery contract — $56K stolen from ‘tip jar’
A ‘periphery’ contract of the decentralized finance (DeFi) sector’s biggest lending platform, Aave, was hacked for a total of $56,000 earlier today.
Aave, which contains assets worth over $11 billion according to data from DeFiLlama, has made clear that the attack, which began, around 04:30 UTC placed no user funds at risk. Founder Stani Kulechov and governance delegate Marc Zeller both took to X (formerly Twitter) to reassure users.
Fuzzland’s Chaofan Shou identified the cause of the hack, pointing to transactions on four networks: Ethereum, Aribtrum, Polygon, and Optimism. He estimated the total funds at risk to be around $70,000.
According to analysis by security firm QuillAudits, the losses to attacks on the above networks totaled approximately $51,000. A further attack on Avalanche netted around $5,000. Funds were forwarded to a holding address on all networks.
The affected periphery contract, ParaSwapRepayAdapter, isn’t part of the core Aave protocol and appears not to have been audited. It allows users to repay borrow positions using existing collateral, swapping assets via decentralized exchange ParaSwap.
While the contract itself isn’t designed to hold user funds, the positive slippage on swaps leads to a gradual accrual of any leftover tokens.
In response to questions about the origin of the funds stolen, Aave delegate Marc Zeller said, “Someone raided the tip jar.”
Aave development contributor BGD Labs later responded with more detail, informing users that losses were limited to the affected contracts and couldn’t spread to the wider protocol. The post also highlights that there’s no risk of a token approval-related attack.
Glass houses
Two days ago, Euler Finance founder Michael Bently accused Aave of sweeping “major security issues” under the rug, in response to Kulechov’s teasing over Euler’s $200 million hack in March last year.
The comments, made in popular DeFi Telegram community LobsterDAO, resurfaced after today’s news, devolving into an argument between the two lending protocols.
Bently accused the Aave team of “celebrating and tweeting misinformation” shortly after Euler was drained, as well as claiming that Aave is held to different security standards by the community at large.
In November 2023, a reported security incident led to a number of Aave pools being paused, but full details remained unpublished, citing concern for potentially vulnerable ‘forks’.
However, plenty of Aave forks have been hacked in the past, with little sympathy from the original protocol.
Kulechov dismissed his own earlier comment as “shitposting” while downplaying today’s event as “basically a tip jar arbed.” Then referring to Bently’s “tiring” talk of the upcoming Euler v2, Kulechov snapped “go build it and fuck off.”
Aave is certainly no stranger to heated relationships with other organizations in DeFi. Earlier this year, risk management team Gauntlet decided to leave the protocol after frustrations boiled over.