According to ChainCatcher, HyperEVM's native decentralized lending protocol, HypurrFi, published an article on the X platform stating that versions of Aave prior to 3.5 contain a "rounding error" vulnerability. Under certain conditions, attackers can extract underlying tokens by repeatedly executing supply/withdrawal and lending/repayment cycles.
The affected markets are XAUT0 and UBTC in HypurrFi Pooled. Currently, user funds are not at risk. To ensure security, new supply and lending operations have been suspended in these markets. Withdrawals and repayments remain operational, and other markets are running normally. HypurrFi added that it quickly detected the issue on-chain through its internal monitoring system and promptly froze the affected markets. It is also collaborating with other Aave deployers and security researchers to address the issue and has invited other Aave forks to contact them for more security information.
