HypurrFi disclosed a vulnerability in an early version of Aave V3 and has suspended new lending and borrowing in the XAUT0 and UBTC markets.

According to Mars Finance, HypurrFi, the native decentralized lending protocol of HyperEVM, announced on the X platform that a "rounding error" vulnerability exists in versions of Aave prior to V3 3.5. Under certain conditions, attackers can extract underlying tokens by repeatedly executing supply/withdrawal and lending/repayment cycles. The affected markets are XAUT0 and UBTC in HypurrFi Pooled. Currently, user funds are not at risk. To ensure security, new supply and lending operations in the affected markets have been suspended. Withdrawal and repayment functions remain operational, and other markets are running normally. HypurrFi added that it quickly detected the issue on-chain through its internal monitoring system and promptly froze the affected markets. It is also collaborating with other Aave deployers and security researchers to address the issue and has invited other Aave forks to contact them for more security information.