VERDICT —UNRATED
Verdict pending. Auto-ingested incidents are reviewed before a public verdict is rendered.
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
A custom sAVAX Aave Rebalancer contract on Avalanche was exploited. The public function b2a13230() allowed the caller to pass arbitrary target and data, executing target.call(data) while the contract still held the user’s Aave V3 Credit Delegation (borrowing permission). The attacker used this to call Aave’s borrow() on behalf of the victim and drain WAVAX. A whitehat bot frontran the transaction and recovered all funds before any withdrawal, resulting in zero net loss to the user. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 64,000.
Sourced from
slowmist
Technical record
- chain
- avalanche
- protocol
- Custom Aave Rebalancer
- bug_class
- logic
- date_occurred
- 2026-04-19
- loss_usd
- $64,000
- source_id
- sm:custom-aave-rebalancer::2026-04-19
Related — same bug class· logic