Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Aurellion Labs' Diamond Proxy contract (EIP-2535) was exploited due to an unprotected initialize(address) function in the SafeOwnable Facet. Although an owner was set, the OpenZeppelin-style _initialized storage slot remained 0, allowing re-initialization. The attacker called initialize() to take ownership, used diamondCut to add a malicious facet with pullERC20/sweep functions, and drained USDC from wallets that had previously approved the diamond proxy. The project paused operations, committed to reimbursing users, and advised revoking old approvals. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 455,003.
- chain
- —
- protocol
- Aurellion Labs
- bug_class
- access-control
- date_occurred
- 2026-05-12
- loss_usd
- $455,003
- source_id
- sm:aurellion-labs::2026-05-12