Aave Periphery ParaSwapRepayAdapter $56k exploit

On 28th August 4:29 UTC, an Aave’s periphery smart contract (not part of Aave core) was exploited and ParaSwapRepayAdapter was robbed. The attacker wiped away the accumulated dust. As a result of positive slippage, dust was getting accumulated in ParaSwapRepayAdapter since 12th July 2023 – the date of deployment. The root cause is identified to be “Arbitrary Call Error”. The attack was executed on Ethereum, Arbitrum, Polygon, and Optimism, but for now we will focus on the analysis of attack transaction .

The attack was performed in a single atomic transaction that included the creation and deployment of an Attacker Smart Contract. Attacker leveraged the flashloan that was taken from Balancer Vault. The attack involves multiple tokens including WBTC, WstETH, USDC, WETH, and USDT.

• wstETH: ~0.43
• WETH: ~1.68
• USDC: ~21,426
• USDT: ~5,195

Ethereum mainnet:
Transaction hash: 0xc27c3ec61c61309c9af35af062a834e0d6914f9352113617400577c0f2b0e9de
ParaSwapRepayAdapter: 0x02e7B8511831B1b02d9018215a0f8f500Ea5c6B3
Attacker: 0x6ea83f23795f55434c38ba67fcc428aec0c296dc
Attacker Contract: 0x78b0168a18ef61d7460fabb4795e5f1a9226583e