ParaSwapRepayAdapter periphery Aave's contract is hacked — $56K stolen from ‘tip jar’

A contract of the decentralized finance (DeFi) sector's largest lending platform, Aave, was hacked for a total of $56,000 earlier today.

Aave, which contains assets worth over $11 billion according to data from DeFiLlama, has made clear that the attack, which began around 04:30 UTC, placed no user funds at risk. Founder Stani Kulechov and governance delegate Marc Zeller both took to X (formerly Twitter) to reassure users.

Chaofan Shou of Fuzzland identified the cause of the hack, pointing to transactions on four networks: Ethereum, Arbitrrum, Polygon, and Optimism. He estimated the total funds at risk to be around $70,000.

According to analysis by security firm QuillAudits, the losses to attacks on the above networks totaled approximately $51,000. A further attack on Avalanche netted around $5,000. Funds were forwarded to a holding address on all networks.

The affected periphery contract, ParaSwapRepayAdapter, isn't part of the core Aave protocol and appears not to have been audited. It allows users to repay borrow positions using existing collateral, swapping assets via decentralized exchange ParaSwap.

While the contract itself isn't designed to hold user funds, the positive slippage on swaps leads to a gradual accrual of any leftover tokens.

In response to questions about the origin of the funds stolen, Aave delegate Marc Zeller said, "Someone raided the tip jar."

Aave development contributor BGD Labs later responded with more detail, informing users that losses were limited to the affected contracts and couldn't spread to the wider protocol. The post also highlights that there's no risk of a token approval-related attack.