Aave

Quick Summary

On August 28, 2024, Aave’s periphery contract, specifically the Repay With Collateral Adapter V3, was exploited, resulting in a
loss of $56,000 USD across multiple chains.




Details of the Exploit

The vulnerability was rooted in the _buyOnParaSwap function within the Aave Collateral Repay Adapter V3 contract. The function,
which interacted with the Paraswap contract, left a high token allowance unadjusted if a swap failed or was only partially
executed. This unadjusted allowance allowed the attacker to withdraw unauthorized tokens. The vulnerability arose because the
function did not properly validate or sanitize paraswapData and failed to verify the swap outcome. The attacker crafted malicious
paraswapData, manipulating the swap process or avoiding it entirely. By exploiting the unchecked token allowance, the attacker
bypassed the intended swap logic, enabling unauthorized fund transfers from the contract.




Block Data Reference

Exploiter:

https://etherscan.io/address/0x6ea83f23795F55434C38bA67FCc428aec0C296DC

Exploit tx:

https://etherscan.io/tx/0xc27c3ec61c61309c9af35af062a834e0d6914f9352113617400577c0f2b0e9de