Multicall yvETH Approval Abuse (victim 0x9828)

Method: Approval-drainer via multicall aggregator (phishing pattern). Root cause: Victim 0x9828 had previously granted ERC20 approval over their yvETH (Yearn Vault ETH) balance to contract 0x143a, which TenArmor identified as a 'multicall aggregator'. The attacker invoked the aggregator to chain calls through it, ultimately executing transferFrom against the victim's approval to drain ~$980K of yvETH. The vulnerability is NOT a smart-contract bug in yvETH or in the aggregator per se — it is the classic stale-approval / malicious-aggregator drain that defines modern crypto phishing: a victim grants over-broad approval (often max-uint256) to a contract they trusted at signing time, and the contract's operator later weaponizes it. Mitigation is approval hygiene (revoke after use, prefer permit2-style time-limited approvals, use approval-tracking tools like Revoke.cash) — not a smart-contract patch. Notes: Attacker contract: 0x143a (multicall aggregator). Approval-drainer pattern. Attack tx: 0xebaaab69baa3cd2543eb80ecfb8e3ed226b9e5a6f5694891a8adf4edbcbd8107. First flagged by TenArmor TenMonitor.