[Aave’s peripheral contract was hacked and US$56,000 was stolen]
Today, a “peripheral” contract of Aave, the largest lending platform in the decentralized finance (DeFi) industry, was hacked, resulting in a total loss of $56,000.
Aave has more than $11 billion in assets, according to DefiLlama. Aave said the attack did not pose a threat to user funds. Founder Stani Kulechov and governance representative Marc Zeller reassure users of the safety and security of X (formerly Twitter).
The attack involved four networks: Ethereum, Arbitrum, Polygon and Optimism. Fuzzland's Chaofan Shou puts the total at risk at about $70,000. Security firm QuillAudits said the attacks on those networks cost about $51,000, and further attacks on Avalanche cost another about $5,000. All funds are transferred to a holding address.
The affected contract, ParaSwapRepayAdapter, is not part of the Aave core protocol and does not appear to have been audited. The contract allows users to repay borrowings using existing collateral and exchange assets through the decentralized exchange ParaSwap. Although the contract is not designed to hold user funds, positive slippage in the exchange of assets can cause residual tokens to accumulate.
Aave representative Marc Zeller responded: "Someone looted the tip jar." BGD Labs also stated that the loss was limited to the affected contract and could not spread to the wider protocol, and there was no risk of token authorization-related attacks.
Previously, Euler Finance founder Michael Bently accused Aave of covering up "major security issues," in response to Kulechov's ridicule after Euler suffered a $200 million hack last March. The incident sparked a dispute between the two lending agreements.
Kulechov described his comments as "joking" and said today's incident was "basically just a tip jar being arbitraged". He also expressed impatience with Bently talking about the upcoming Euler v2, saying: "Go do your thing and stop being annoying."
Tensions between Aave and other DeFi organizations have been around for a long time. Earlier this year, risk management team Gauntlet left the protocol amid dissatisfaction.